Risks of Remote Working

Analyze with Intent & Protect Your Profits

As the world fights against the spread of COVID-19, many businesses are in the front lines of the economic impact. With employees working remotely, the risk of fraud increases considerably. CaseWare IDEA® has integrated features dedicated to help your team work more efficiently, prevent fraud and data theft, and safeguard your profits.

With a proactive examination of fraud risk factors, such as pressures, incentives, opportunities, and rationalizations, increased areas of vulnerability can be identified. The Discovery feature uses Analytic Intelligence to identify trends and outliers displayed in dashboards to track high-risk areas that can be further refined. If you’re uncertain where to start, Discovery is a recommended preliminary resource to combine with the other critical areas outlined below.

Payroll

Remote work makes monitoring payroll a more complicated endeavor and increases vulnerabilities to fraud. In addition, separation of duties becomes challenging to enforce, with basic tasks such as writing and signing checks. As a result, payroll fraud is much harder to detect. For example, an employee with administrative rights can set up a false employee ID and arrange for payroll checks to be mailed to a P.O. Box address.

Payroll errors may be found by cross-matching a list of existing employees with payroll records. This task is simplified by using a data analysis tool to join fields from separate databases to test for matching or non-matching data across files.

Extractions, or exception testing, can be used to help isolate information for review. By applying the extraction function, user-defined criteria can isolate paychecks that did not have taxes withheld or analyze addresses to help uncover ghost employee schemes.

Analytic Applications for Payroll

Critical Data Fields: Payroll Master File

• Duplicate employees with the same bank account or address
• Employee status not matching the termination date
• Exempt hours worked vs standard hours
• Non-exempt hours worked vs expected hours
• Hours worked vs hours paid
• Employee start date after paycheck date
• Terminations within 14 days of hire
• Invalid pay rates (actual/calculated vs. master file)
• Excessive gross pay
• Job record deletions (data corrections not using effective date)

T&E/Purchasing Cards

During times of uncertainty and financial instability, employees holding corporate credit cards or purchasing cards may be tempted to use them for personal interests.

Travel and entertainment expenditures are usually a significant business expense and may often be the difference between generating a profit or loss for a given the period. It is also an area where controls are not as stringent as they should be. Frequently, violators are managers or executives who consider themselves above scrutiny due to their level or seniority in the organization.

For example, a CFO was prosecuted for stealing more than $1 million by falsifying expense reports for employees who had left the company. By using data analysis, the investigating auditor simply joined files to compare employee release dates with reimbursement dates – excluding reimbursements to employees who had left within 14 days. By joining these two data sets, the auditor was able to see that the CFO was approving expense reports for employees who had left the company several months prior.

Travel & Entertainment/Purchasing Card Tests

Critical Data Fields: Cardholder master, expense reports, etc.

• Invalid cardholder (no matching employee or terminated employee)
• Duplicate cardholders by employee ID or address
• Suspicious MCC or keyword in the transaction description
• Declined or disputed transactions
• Split purchases
• Duplicate purchases (same merchant, same amount)
• Even or small dollar amount transactions
• Weekend and holiday transactions
• Potential duplicate reimbursements: gas with mileage or p-card purchase with AP request
• Spending limits on transactions: expensive hotel stays or meals

Time Sheets

Work-from-home policies often require staff to log their work hours. While most employees are honest, some may take advantage of the reduced oversight. When budgets are tight, many companies reduce overtime hours for non-essential staff.

IDEA can be used to analyze costs for special pay, overtime, premium, etc. Here are a few areas of application:

• Show hours worked by employees over a specific period
• Compare target and actual hours worked
• Compare target and actual client hours
• Search for irregularities before timesheets are approved
• Identify employees who worked weekends or holidays
• Analyze which projects or processes are taking more time than anticipated
• Search for fictitious employees
• Search for instances where timesheets were submitted for terminated employees or employees on vacation

Identify Control Issues for Data Theft Prevention

With work-from-home orders in place, unsupervised access to systems and files greatly increases risk levels. Data breaches and unprotected IP can leave your organization vulnerable to proprietary loss, legal issues, and even reputational damage. Employees working remotely from unsecured networks make your business data more suspectable to cybercrime.

During a recession, departing employees are more likely to take intellectual property with them to either sell or increase their chances of being hired by a competitor. Technology advancements make it easy for employees to steal data by loading it onto external drives or uploading data to a file hosting service, such as Dropbox. Both methods are inexpensive, require little effort, and have extensive memory capacity.

Organizations should not wait for an infraction before building a risk management program and using data mining and analysis to help minimize risk of breach and data loss. Preparation and planning can also be used in a proactive capacity to establish “what if” scenarios and work to reduce business risks. Risk assessment plans should be conducted frequently – annually at a minimum in conjunction with a comprehensive audit plan to consider risk and address control concerns identified by management. Detailed information should be documented on all systems used in the organization, including their ownership of the systems and the purpose and reliance within the company.

The key to establishing an appropriate risk-based methodology is based on the probability of occurrence and impact. First, create an inventory of all current and future business information systems. Interviews should be conducted with the business units that own and maintain each system to identify potential issues or security gaps.

Second, document the data life cycle for each system, including the data source, collection method, storage and back-up process, usage patterns, and distribution process, including retention and destruction. When assessing the data life cycles, be alert to the issues that may arise with separation of duties.

Third, document permission levels granted to specific employees or groups of employees in each system. Be sure to include the process of how permissions are granted and changed over time. Data analysis scripts can be developed to continuously review data and provide a summary of users by permission level, time of day/week, etc across all systems. Cross-matching may be applied to check for validation of user access to password-protected systems as well.

Here are a few immediate measures you can take to protect your data:

• Require remote employees to work only on secure networks using company-owned devices
• Work with IT to manage software updates, rather than giving employees administrator credentials
• Ensure all employees have reviewed and agreed to acceptable use policy for electronic devices, social media, and proprietary systems
• Provide security training refresher courses to remote employees
• Utilize high-quality firewalls and virus scanners

Firewall logs will increase under remote working conditions, generating thousands of network transmissions each day. IDEA’s ability to import PDFs and text files from firewall logs to test for approved host connection requests.

It can be used to analyze these logs to identify trends and exceptions, such as:

• Most frequent IP addresses attempting to access the network
• Actions upon connection (i.e., control, accept or drop)
• Common access times to identify requests during unusual times

The best way to reduce fraud risk when employees are working remotely is to keep them informed and hold them accountable. Implementing a strong fraud policy, coupled with data analytics can mean the difference between keeping operations running smoothly or suffering significant losses.

Audimation is here to help you put data analytics to work! Whether you’re interested in expanding your use of IDEA or need additional support during this time of uncertainty, our team of experts are ready to assist.

Contact [email protected] to get started with your risk-reduction & cost-containment journey today.