When working with rows and columns of data to spot suspicious behaviors, fraud and errors can look very similar to one another. Missing information can also indicate fraud, but is difficult to find if data from different systems is not joined together for comparison.
The ACFE Report to the Nations includes a graph which quantified how much time it takes to identify fraud. Only 26.4% of frauds are found in six months or less, and 7.8% take more than 60 months to find. The median loss from occupational fraud was a whopping $150,000. As technology gets “smarter” so do the fraudsters working to outsmart the system.
Auditors have traditionally used data analytics for rule deviations, time-series analysis, investigate category/peer group outliers and other methods; but is that enough? Fraud could lurk within process reengineering opportunities, business/process efficiency opportunities, groups working in silos, revenue leakage, and/or payment abnormalities. These anomalies, errors, fraud, waste and abuse can be found in discrepancies between systems that should not exist. Data analytics can be used to pinpoint patterns and trends of suspicious behavior, deviations from the rules, and associations and correlations that should, or should not, exist to uncover fraudulent activity.
You can’t audit what you don’t understand. It’s important to gain as much knowledge about the organization you’re auditing as possible. What the management styles of the leadership? How are teams structured? What is the culture like? What controls are in place and how are they communicated? What motivates the employees and what types of relationships do they share?
Finding the answers will also help you understand the data, which is a major step towards discovering what should not be there. Use facts to drive key questions, and data analytics as the truth serum.
When investigating rule deviations, these deviations most likely will be from the business rules or industry standards, rules of nature, or potentially from the contractual terms. During a time-series analysis are you suspicious of the time of day or day of the week? A month or holiday or maybe you would like to find out if there are any time gaps or a deviation in the order of events, the actual cycle of the process? Maybe it is found purely in the category or peer group outliers.
While most auditors are natural critical thinkers, detecting peculiar behavior requires innate skepticism and an inquisitive approach. It is also important to be creative, collaborative and persistent. Finding the answer may require you to revisit the same sources more than once. Solid interviewing techniques and management skills also help ensure the process runs smoothly.
The same audit approach, the same reports regenerated on a schedule yielding the same results and findings won’t give you much. You cannot find issues that you have historically overlooked by looking at things the same way you’ve been looking. You need to challenge your reporting and audit approaches to find what you’ve missed. This expands your contribution to the overall business strategy, and improves the auditor opinion, not to mention the possibility of saving the client money. With data analytics, data can be examined from different angles, perspectives and possibilities, especially those that may have overlooked previously.
Start by asking, “What are you looking for in an audit? What is your intention?” Audit traditionally looks at rule deviations, and in some cases, these could be vast. There are deviations from the business, contract or industry rules. These areas are well known to audit. How about deviations from the rules of nature? An example of this is a time-series analysis audit. Is your query about time of day, day of week, month, or is it a holiday? You may be suspicious of strange timing, the order of events or gaps? How about if you expand that microscope to categories, such as peer group outliers?
When asking questions, people skills come into play. Interview the peers in the group, use your critical thinking and management skills to see the whole picture from the auditors’ viewpoint. Be inquisitive, skeptical and creative. Your need for information and data can only be fulfilled by being collaborative and a team player; with a bit of persistence and relentlessness. People feel attacked when they are investigated, and you need to put them at ease. Let them know you are here to help their department by investigating processes. Understand the people is key to understanding the money.
In today’s audit, if you don’t have all this knowledge, issues tend to be overlooked. If you follow the same old methods, the same audit approach, the same reports, you will not be surprised when you get the same results and findings, and the fraudsters learn the process and are able to hide. You cannot find issues that you have historically overlooked by looking at it in the same fashion every time. Challenge your reporting and audit approaches to find out what you have been missing! Have some fun in IDEA, using your customer knowledge to deliver those unique insights that just might give the edge they were wanting, and didn’t know was possible.
Arthur Conan Doyle, creator of Sherlock Holmes once wrote, “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”
Many times, auditors are tasked with not only analyzing the data, but fighting an uphill battle to simply receive the data necessary to do the job. Before you can audit, you must be an investigator. You conduct your investigation under the guise of information gathering and many times have to go back more than once to the sources you know. You need to know what data is available and where is it housed. Who has access, and are the datasets currently reported upon? Who inputs the data and how can it be manipulated? Is there a system in place to auditing these datasets already? Take an information- gatherer mentality to find what fields you need to include in your dataset.
The answer could be in the software interface that has the fields you need. Or it may be in existing reports. And you can always ask for all the fields then narrow the population yourself, although asking for all the data may make the IT gatekeepers nervous. Another avenue is using a data dictionary, or scheduling a meeting to get a walk-through of the data. You can also try requesting sample data first, such as a day or week worth of data, then expand your request.
The types of data to analyze is growing exponentially. Some common ones that are still primarily in audit and not shared across a company include:
The acquisition of this data could come from sources ranging from QuickBooks to SQL. Reports of transaction details, table downloads, online system access, and of course the hard copies, PDFs, audit logs and spreadsheets. It can become messy and tedious. IDEA takes care of these issues through its Project Overview, Field Statistics and Control Totals tasks, which help verify the data and serve as a resource for reporting and business data assurance. Data normalization through IDEA happens in many different ways – dependent on your need. Gap Detection, Join and Merge, Summarization, Duplicate Detection, and Benford’s Law are just a few places you can start.
Find how or what roles do sequential numbers play in the business unit or process and what systems are disparate or in silos that should be reconciled. How can concentration impact risk? This could be users, vendors, employees, customers, invoices, etc. Does an employee live close to a vendor with unusual payments? Are the invoice numbers sequential? Although you may not find anything in your search, you identified where there is not a problem. Trial and error is needed to find the way that works in every situation.
Find the root cause through your assessment. The findings can be used as a road map. By studying the environment that surrounded the findings, you can answer what the key driver was to the issue and how can these opportunities be eliminated from the organization? Does the organization need culture damage control or how can the process be changed?
Risk is not only found on the finance side. People cause good and bad changes alike that effect the bottom line. To limit that risk, audit can embrace the non-traditional areas and help to prevent that loss.
Information for this article was sourced from a presentation by Chris Peters, GPS Consultants, LLC, during the 2017 IDEA Innovations Conference in Houston. GPS Consultants is an IDEA Integration Partner specializing in custom IDEAScript development, business process automation and data analysis consulting.