Audit tools help enhance fraud risk assessments.
Organizations that use predictive analysis tools to monitor data detect fraud sooner and incur far-lower losses than other businesses.
Digital Alisanne Gilmore Allen, CIA,CRMA,CFE,CISA Feb 21, 2022
Data analytics is one of the most effective anti-fraud controls. According to the Association of Certified Fraud Examiners 2020 Report to the Nations, organizations that use predictive data analytics discover frauds much sooner than organizations that don't monitor data for signs of fraud, and those frauds were 33% less costly.
One reason for these findings is that data analytics can help internal audit perform fraud risk assessments more effectively. These assessments may involve identifying a common set of fraud risks — related-party relationships, fraudulent vendors, and payroll schemes — and mapping them to internal controls designed to mitigate them.
Deeper dives and additional analytics may lead internal auditors to identify potential fraud risks that may not be obvious from an initial glance. Some frauds may be difficult for practitioners to detect, given the sophistication of the crimes. However, with the appropriate technical skills and use of IT audit tools — and the imagination of a fraudster — internal auditors can increase the likelihood of identifying issues that warrant further investigation.
Many organizations have policies that prevent employees from engaging with related-party vendors without appropriate disclosure. Such policies would not allow an employee to hire his or her spouse's organization to provide services without a competitive bid, for example. In such an arrangement, the employee may benefit from the spouse's engagement, but the organization may not get value for the services.
Using analytics, auditors can check for relationships that should be investigated by comparing vendor addresses to employee addresses, or vendor phone numbers to employee phone numbers. Are these relationships appropriate? Were they known to the organization? Were they disclosed to leadership and in the organization's financial statements?
While these relationships may not be illegal, internal audit should confirm that management is aware of them by determining how many have been disclosed to the organization's CFO or general counsel. Also, auditors should verify that these vendors were subject to vendor-selection processes such as getting quotes from multiple bidders and providing the best prices and value to the organization.
Fraudulent vendor activity can be a costly risk. This type of fraud occurs when an employee authorizes expenses and payments to fictitious vendors.
Internal auditors can use data analytics to check whether all vendors in the organization's database are legitimate. To identify potential fraudulent vendors, auditors should start by confirming that the vendor information is complete. Analytics tools can extract vendors with incomplete profiles, especially those with missing telephone numbers or tax ID numbers. Auditors should confirm that all the vendor addresses can be validated. Moreover, they should recommend stopping payment until the vendor information is completed and validated.
Auditors also should check for suppliers with limited address details, such as only having a post office address or having a residential address for a business location. Such suppliers can generate greater risk of fraud and financial loss to the organization. Using analytics to validate addresses can detect possible risks and identify opportunities to cleanse data to improve vendor master data.
Reviewing payments with little or no sequence between invoice numbers also can reveal potentially fraudulent vendors. Performing a routine trend analysis across key data sources may detect material control weaknesses. Benford's Law analysis may identify unusual distributions of random numbers such as invoice numbers and invoice amounts.
Additionally, auditors should confirm whether the organization appears to be the vendor's only customer or is one of a few customers. Finally, were the purchases legitimate, and was the purchasing organization getting the value it expected or was there something amiss? Weekend and holiday invoicing or vendor payments also may be a red flag worth investigating, particularly if certain vendor payments are habitually processed on nonbusiness days.
Internal audit should determine what it would take to perform a vendor spending analysis. This analysis should ask:
A deeper analysis may be useful for payments to unknown vendors. Did these transactions start as a small payment that might stay under the radar and gradually increase? For example, an internal audit team using data analytics found that one of the company's software development vendors was based in a nearby residence. Looking deeper, auditors observed that spending on that vendor went from $2,000 per month for a few months to $10,000-$20,000 per month, and eventually increased to more than $100,000 monthly.
Internal auditors can use data analytics to mitigate payroll schemes by identifying duplicate direct deposit account numbers, employee names, addresses, or phone numbers. For example, if auditors extract data about multiple payroll deposits to the same bank account during a single pay period, it may lead them to discover a potential fraud. Furthermore, this type of assessment may help the organization identify previously unknown related-party relationships such as nepotism.
Internal auditors also should confirm that appropriate segregation of duties are in place between the human resources and payroll functions. For example, responsibility for adding new employees should be segregated from the responsibility to pay employees to reduce the risk of ghost employees, falsified wages, or unauthorized adjustments.
Use of data analytics enables internal auditors to view 100% of the population, rather than a sample, and can greatly enhance the assurance the audit function can provide. If common fraud risks appear to be mitigated, internal audit should think outside the box to identify unusual or unexpected risks that may be specific to the organization, its employee base, and its industry. For example, access to customer records may not be appropriately limited to those with a "need to know." Without limits, any employee with access could leverage such information to engage in illegal activities such as insider trading.
As internal audit finalizes its audit plans for the year, it should identify opportunities to expand fraud risk assessments and develop analytics that can help reduce the risk of fraud. Auditors should brainstorm to determine additional activities that may be unique to the organization's environment and include them in the risk assessment and audit plan.