Focused data analysis can uncover problems, opportunities
Donald E. Sparks, CIA, CISA, ARM
Our economic situation has prompted many companies to rethink how they conduct business, which includes taking a closer look at expenses in an effort to control costs. Accountants and internal auditors should be working aggressively to identify weak or missing controls, reduce risk, and detect fraud in an effort to offset the lower revenues most companies are experiencing.
While system and data errors can serve as a breeding ground for fraud and abuse, internal auditors can apply data analysis techniques to identify issues within the organization’s data. Data analysis tools allow the auditor to interrogate large volumes of data, and run multiple queries to look for and extract unknown information, which assists in detecting internal control violations, errors and potential fraud.
For example, travel and entertainment expenditures are often a significant business expense and may be the difference between generating a profit or loss for the period. By conducting regular audits of T&E expenses, organizations can improve internal controls over employee costs and establish a tone of compliance for all employees to follow.
When auditing T&E expenses, the auditor needs to gain a clear understanding of processes for approving, recording and reimbursing expenses. Data analysis may be used during the planning phase by providing summary information for scoping purposes, such as calculating average amounts. If the data is available in electronic format, the auditor may use a pivot table to prepare summaries of expense types by employee and extract the most frequently reimbursed employees or those who charge the majority of their travel expenses to “miscellaneous,” which should be a rarely used option on expense reports. This preliminary information can be shared with management to justify the time and resources needed for a full review.
As risk assessments are conducted each year, internal auditing and management should look for gaps in controls, and work to improve expense monitoring activities. Data analysis tools can help identify the root causes of why procedures are redundant, missing, deficient or defective.
An appropriate risk-based methodology will help set audit priorities based on probability of occurrence and impact. Areas to review and test may include business information systems and the business units that own or maintain each system, data life cycles for each system, and system permission levels.
Obtaining T&E expense reporting data is a key step for auditors and management, including how the data is collected and managed. With adequate and reliable data, internal audit can assess T&E processes and look for opportunities to leverage savings, or identify fraud. Some data sources to consider are: employee reporting forms, pre-trip booking, travel agency booking, credit cards, budgets, travel advances, authorization levels and foreign exchange currency rates.
Calibrating the response
While internal auditors are responsible for telling management where controls are working as designed, they are also responsible for uncovering significant errors, irregularities or noncompliance, and being alert to fraud. The first step in developing a response is determining the level of response needed — extensive, moderate or minimal. The application of data analysis can assist in these areas to help search for errors and irregularities, and tests may be used by the operating units to improve internal controls.
While general office applications such as spreadsheets are familiar to most staff, they may not be sufficient for auditing techniques including acquiring, merging, sorting and sampling data. Data analysis tools are designed specifically for conducting audits — to match and join data from multiple sources, search for specific text, and use date and time fields.
During the testing phase, internal audit should identify, analyze, evaluate and record sufficient information to achieve the engagement’s objectives. Testing should cover the accuracy and propriety of the expense report transactions, as well as the integrity and reliability of the performance management information system. Various volume and service level agreements may require testing as well.
Auditors must provide the necessary documentation to support findings and communicate the conclusions. Report-writing is another audit area where data analysis can be used to align the test results with the report requirements. Data analysis tools help maintain the history of analysis activities to support audit conclusions and ensure the auditing work did not introduce data integrity and reliability issues into the workpapers.
During the closing conference, the internal audit team should share experiences that will help strengthen monitoring activities and improve future audits. This should include recommendations to management about how to be sure that past or new problems do not arise, which may be accomplished weekly, monthly or periodically through continuous auditing and monitoring.
Continuous auditing is not a tool, but rather a process for auditors to follow for planning, risk assessments, control assessments and use of technology to perform audit work. It can bridge the gap between the audit report and the practice of ensuring that the identified issues have been rectified.
The following is a brief case study of how expense reports became a starting point of the development of a continuous auditing approach that helped reduce risk and improve overall controls.
A company tested expense reports by random selection, examining larger dollar charges to travel expense categories. While exceptions were found, no significant conclusions were drawn and the area was assigned for review again in three years, in which time the company experienced substantial growth. Internal audits used data analysis tools to summarize T&E expense details for 60 cost centers, noting which had higher instances of exceptions or anomalies in multiple test areas. Test areas included data on late expense reports, high dollar amounts charged to miscellaneous, high airfare, high bonus, duplicate payments, etc. One third of the cost centers with the highest instances of exceptions and anomalies were related to marketing, and identified three individuals with infractions.
The internal auditors created scripts from the data analysis tests so the high-risk areas/ employees could be monitored for possible fraud or abuse. The risk ranking allowed the auditors to select which cost centers and employees to audit more frequently. In this case, continuous auditing was used to help determine when and where to deploy internal auditing resources and learn what issues and patterns exist so future audit plans focus on specific areas of abuse.
As internal auditors are tasked with more work and fewer resources, companies need to utilize available technologies to mitigate risk and identify potential fraud. T&E expenditures require the same attention, testing and evaluation as other significant accounts payable activities. Data analysis helps focus on potential violation areas and quantify the impact, and can be used to generate continuous auditing processes that help reduce future incidents of fraud.