2016 MSCPA Fraud Conference Presentation

Using Data Analytics
to Find Fraud Indicators
Ron Steinkamp
Joe Montes
November 30, 2016

• COSO Fraud Risk Management
• What is Data Analysis?
• Data Analysis Benefits & Challenges
• Perspectives on Data Analysis
• Using Data Analysis to Find Fraud Indicators
• Exercise
2
Agenda
© 2016 All Rights Reserved
Brown Smith Wallace LLP

• COSO issued Fraud Risk Management Guide.
• Guidance on how to deter fraud.
• 5 Fraud Risk Management Principles.
• Aligned with the COSO Framework Components
and Principles.
• Further detailed in Points of Focus related to
each Principle.
• Can be used as a starting point to develop a
Fraud Risk Management Program.
4
COSO Fraud Risk Management Guide

1. The organization establishes and
communicates a Fraud Risk Management
Program that demonstrates the expectations of
the board of directors and senior management
and their commitment to high integrity and
ethical values regarding managing fraud risk.
CONTROL ENVIRONMENT
5
Fraud Risk Management Principles

2. The organization performs comprehensive
fraud risk assessments to identify specific fraud
schemes and risks, assess their likelihood and
significance, evaluate existing fraud control
activities, and implement actions to mitigate
residual fraud risks.
RISK ASSESSMENT
6

3. The organization selects, develops, and
deploys preventive and detective fraud control
activities to mitigate the risk of fraud events
occurring or not being detected in a timely
manner.
CONTROL ACTIVITIES
7

4. The organization establishes a communication
process to obtain information about potential
fraud and deploys a coordinated approach to
investigation and corrective action to address
fraud appropriately and in a timely manner.
INFORMATION & COMMUNICATION
8

5. The organization selects, develops, an
performs ongoing evaluations to ascertain
whether each of the five principles of fraud risk
management is present and functioning and
communicates Fraud Risk Management
Program deficiencies in a timely manner to
parties responsible for taking corrective action,
including senior management and the board.
MONITORING ACTIVITIES
9

• Data analytics is addressed as a Point of Focus
within the Fraud Risk Management Principles.
Use data analytics for fraud risk assessment and
response.
Use proactive data analytic procedures to identify
transactions or events for further investigation.
• Appendix E of the COSO Fraud Risk
Management Guide covers the use of data
analytics in fraud risk management.
10
What Does This Have to Do With Data Analytics?

• Process of extracting, inspecting, cleaning,
transforming, and modeling data in order to
discover useful information, derive conclusions,
and support decision-making
– Employees are not using a system field as intended
– Controls are not functioning properly
– Vendor master access should be restricted
12
Data Analysis Defined

• 100% vs. sampling
• Brings Operational and IT together
• Comparison to an outside source
• Identification of control weaknesses
• Re-performable
• Red flags and trends
• Log = Workpaper
14
Data Analysis Benefits

15
Challenges
Overall
•Employee Resources
• Limited know how
• Analysis is most effective with good business,
process, and system knowledge
• Check the box mentality
•What is Success?
•Technology Choices
•Boiling the Ocean

Data Quality and Availability
• Lack of access
• Disparate systems
• Weak system controls lead to bad data
• Bad data leads to bad information
• Integrity tests:
• Corruption
• Completeness
• Uniqueness
• Logical relationships
• Proper boundaries
16
Challenges

Actual Objectives
• Ability to effectively achieve objectives selected
• Defining exceptions
• Investigating exceptions
• Business processes change
17
Challenges

• The AICPA has said that use of technological
improvements in Audit have been incremental rather
than transformative
• To advance data analytics in Internal Audit
– Data analytics must be part of the mission
– Funding must be available to buy the tools and provide training
– Auditors must learn the appropriate skills
– Time must be budgeted and allocated
– The data must be readily available
– The data must be accurate
19
Data Surveys

• Internal Audit initially detecting fraud increased from
14.4% to 16.5% between 2012 and 2016
• Larger organizations showed Internal Audit detecting
18.6% of cases
• Greatest Inhibitors to Data Analysis Success
– Lack of appropriate skills
– Data to be integrated is not clean
– Complexity of implementation
– Inability to integrate necessary data sources
– Lack of integration with existing systems
– Solutions are difficult to use
– Inability to customize for specific needs
20
ACFE

“Not auditing the data in your company’s ERP system wastes the
amount of money and time spent implementing it.”
“Analysts can’t just be good at scripting, they have to be able to identify
risks, interpret results, and audit exceptions.”
“None of the technologies understand relationships, business changes,
or critical thinking. The Human factor will always be there. You will
never set it and forget it.”
“Everything IT serves the business and is not just an IT risk.”
“In 10 years, computers will do all of this and humans won’t be
needed.”
21
Recent Conferences

“Analytics should be used to add, drop, and accelerate audits in the
audit plan. It should not be a document updated yearly.”
“Coordination between Compliance and Internal Audit to share data
and coordinate schedules will increase everyone’s effectiveness.”
“Data analysis is worth the effort. So much to gain. Hang in there.”
“Every control review can have a fraud focus with data analytics and
the right auditors.”
Intelligence should not be acquired just for the sake of integrating more
data; the strategic focus should be on ‘acquiring intelligence with a
purpose’.”
22
Recent Conferences

• First Thing!
• Various standard steps
to understand a file
• Experience
Hours
Reputation
24
Data Integrity Verification

Main Categories
• Statistics
• Counts
• Totals
• Blanks
• Classifies
• Duplicates
• Gaps
• Logical Relationships
25
Data Integrity Verification

Ghost Employee red flags
• Duplicate addresses, routing numbers, SSNs
• Employee record has been accessed/edited by one person
• HR compared v. Payroll v. other systems
• No withholdings or deductions
• No vacation or sick time
• No overtime for hourly
• Blank fields
• PO Box
26
Payroll

Payment Red Flags
• Frequent changes to bank numbers
• Terminated employees with current pay
• Employees with multiple bank accounts
• Bank accounts with multiple employees
• Excessive Overtime
27
Payroll Continued

Process Red Flags
• Segregation of duties
• Date Comparisons
• Quantity Comparisons
• Amount Comparison
28
Accounts Payable

Employee / Vendor Red Flags
• Same name
• Matching addresses or
routing numbers
• Last name or Initials as part
of vendor name
• Disclosure and emergency
contact comparison
29
AP Continued

Vendor Red Flags
• Same vendor with different vendor number
• Vendor type does not match vendor spend
• Vendor type does not match purchaser
• Frequent or Inappropriate changes
• Inactive vendor with activity
• Unusual payment terms
• PO Box or no address
• One-time vendors
30
AP Continued

Payable Red Flags
• Frequent or Inappropriate changes
• Single payment run
• Payment runs at unusual times
• Checks to different address than master
• Invoice and check sequence
31
AP Continued

Duplicate Red Flags
Same expense reimbursed more than once
• Identify employees that report expenses for the same
transaction dates on multiple expense reports. This makes
duplication harder to identify.
• Look at transactions not paid via company card, could also be
duplicate of card transaction (same date, transaction amount,
and vendor/expense type).
• Identify same transaction reported on
different individuals’ expense reports.
32
Travel & Entertainment

Other Red Flags
• Unexpected dates, vendor names, individual names, or
keywords
• Round dollars (gift cards, cash)
• Employees who have more than the average quantity or
amount of transactions in higher risk or specific expense
categories.
• Identify expenses with unusual
Merchant Category Codes
(MCC) based on company
policy or transaction type
selected by the employee.
• Spending zip code
33
T & E Continued

Other Red Flags
• Weekends or holidays
• Declined or disputed transactions
• Large transactions
• Active cards v. current employee
• Approval workflow
• Missing receipts
34
P-Card

Foreign Corrupt Practices Act
• It is unlawful to make a corrupt payment to a foreign official for
the purpose of influencing the official in order to assist in
obtaining/retaining business
• Companies who file reports with the SEC must maintain
records that accurately reflect transactions and the nature and
quantity of corporate assets and liabilities
• Yates memo made it personal
• Lower fines by making corruption as
difficult to perpetrate as you can
35
FCPA

Other Red Flags
• Names and addresses on the SAM list, etc.
• Keyword search in payables, general ledger, P-Cards, T&E
• Journal entries with unexpected account combinations of
accounts (e.g. debit to sales/credit to cash)
• Analyze sales and commission information
• Identify payroll, travel advances, or
travel reimbursements to non-employee
• Test currency exchange expectations
• Purchasing costs
36
FCPA

What data analysis procedures can we utilize
to help identify a fraud where employees
create approximately 2 million fake
bank/credit card accounts?
38
Question???

Employees/Managers/Locations Who
• Consistently meet or beat performance quotas
• Have more than average number of accounts that have not been
accessed by account holder (activity files exist for everything)
• Have more than average number of accounts opened without
customer service interaction (in person, phone, app, online is traced)
• Have more than average number of accounts closed within # days of
opening
• Have more than average number of accounts opened for the same
customer within # of days
• Have complaints against them (textual analysis of complaint tracking
system)
Challenges
• What about the really good salesperson?
• No complaints, surely has a bad month,
• Widespread could cause averages to be skewed
39
Audience Participation

• Fraud is not going away and we need to devise better
methods to prevent and detect it as early as possible.
• The new COSO Fraud Risk Management Guide encourages
the use of data analytics.
• Data analysis is a great preventative and detective control for
fraud.
• If people think you are watching, they are less likely to try to
commit fraud
• Payroll, P2P, T&E, and FCPA are great places to start
• Hindsight is 20/20, but it can be applied to the future.
40
In Summary

Any Questions?
Ron Steinkamp | rsteinkamp@bswllc.com | 314-983-1238
Joe Montes | jmontes@bswllc.com | 314-983-1380
41
A Measurable Difference
6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200
1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000
2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100
1.888.279.2792 │ bswllc.com
Brown Smith Wallace is a Missouri Limited Liability Partnership

2016 MSCPA Fraud Conference Presentation

More Related Content

What's hot

Viewers also liked

Similar to 2016 MSCPA Fraud Conference Presentation

More from Ron Steinkamp

2016 MSCPA Fraud Conference Presentation