2016 mscpa fraud conference presentation
Post on 15-Apr-2017
77 Views
Preview:
TRANSCRIPT
Using Data Analytics to Find Fraud Indicators
Ron SteinkampJoe Montes
November 30, 2016
2
• COSO Fraud Risk Management• What is Data Analysis?• Data Analysis Benefits & Challenges• Perspectives on Data Analysis• Using Data Analysis to Find Fraud Indicators• Exercise
Agenda
© 2016 All Rights Reserved Brown Smith Wallace LLP
COSO Fraud Risk Management
© 2016 All Rights Reserved 3 Brown Smith Wallace LLP
4
• COSO issued Fraud Risk Management Guide.• Guidance on how to deter fraud.• 5 Fraud Risk Management Principles.• Aligned with the COSO Framework Components
and Principles.• Further detailed in Points of Focus related to
each Principle.• Can be used as a starting point to develop a
Fraud Risk Management Program.
COSO Fraud Risk Management Guide
© 2016 All Rights Reserved Brown Smith Wallace LLP
5
1. The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.
CONTROL ENVIRONMENT
Fraud Risk Management Principles
© 2016 All Rights Reserved Brown Smith Wallace LLP
6
2. The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.
RISK ASSESSMENT
Fraud Risk Management Principles
© 2016 All Rights Reserved Brown Smith Wallace LLP
7
3. The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.
CONTROL ACTIVITIES
Fraud Risk Management Principles
© 2016 All Rights Reserved Brown Smith Wallace LLP
8
4. The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.
INFORMATION & COMMUNICATION
Fraud Risk Management Principles
© 2016 All Rights Reserved Brown Smith Wallace LLP
9
5. The organization selects, develops, an performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board.
MONITORING ACTIVITIES
Fraud Risk Management Principles
© 2016 All Rights Reserved Brown Smith Wallace LLP
10
• Data analytics is addressed as a Point of Focus within the Fraud Risk Management Principles.
Use data analytics for fraud risk assessment and response.
Use proactive data analytic procedures to identify transactions or events for further investigation.
• Appendix E of the COSO Fraud Risk Management Guide covers the use of data analytics in fraud risk management.
What Does This Have to Do With Data Analytics?
© 2016 All Rights Reserved Brown Smith Wallace LLP
What is Data Analysis?
© 2016 All Rights Reserved 11 Brown Smith Wallace LLP
12
• Process of extracting, inspecting, cleaning, transforming, and modeling data in order to discover useful information, derive conclusions, and support decision-making– Employees are not using a system field as intended– Controls are not functioning properly– Vendor master access should be restricted
Data Analysis Defined
© 2016 All Rights Reserved Brown Smith Wallace LLP
Data Analysis Benefits & Challenges
© 2016 All Rights Reserved 13 Brown Smith Wallace LLP
14
• 100% vs. sampling• Brings Operational and IT together• Comparison to an outside source• Identification of control weaknesses• Re-performable• Red flags and trends• Log = Workpaper
Data Analysis Benefits
© 2016 All Rights Reserved Brown Smith Wallace LLP
15
Challenges
© 2016 All Rights Reserved Brown Smith Wallace LLP
Overall•Employee Resources
• Limited know how• Analysis is most effective with good business,
process, and system knowledge• Check the box mentality
•What is Success?•Technology Choices•Boiling the Ocean
16
Data Quality and Availability• Lack of access• Disparate systems• Weak system controls lead to bad data• Bad data leads to bad information• Integrity tests:
• Corruption• Completeness• Uniqueness• Logical relationships• Proper boundaries
Client Logo
Challenges
© 2016 All Rights Reserved Brown Smith Wallace LLP
17
Actual Objectives
• Ability to effectively achieve objectives selected
• Defining exceptions
• Investigating exceptions
• Business processes change
Client Logo
Challenges
© 2016 All Rights Reserved Brown Smith Wallace LLP
Perspectives on Data Analysis
© 2016 All Rights Reserved 18 Brown Smith Wallace LLP
19
• The AICPA has said that use of technological improvements in Audit have been incremental rather than transformative
• To advance data analytics in Internal Audit– Data analytics must be part of the mission– Funding must be available to buy the tools and provide training– Auditors must learn the appropriate skills– Time must be budgeted and allocated– The data must be readily available– The data must be accurate
Data Surveys
© 2016 All Rights Reserved Brown Smith Wallace LLP
20
• Internal Audit initially detecting fraud increased from 14.4% to 16.5% between 2012 and 2016
• Larger organizations showed Internal Audit detecting 18.6% of cases
• Greatest Inhibitors to Data Analysis Success– Lack of appropriate skills– Data to be integrated is not clean – Complexity of implementation– Inability to integrate necessary data sources– Lack of integration with existing systems– Solutions are difficult to use– Inability to customize for specific needs
ACFE
© 2016 All Rights Reserved Brown Smith Wallace LLP
21
“Not auditing the data in your company’s ERP system wastes the amount of money and time spent implementing it.”
“Analysts can’t just be good at scripting, they have to be able to identify risks, interpret results, and audit exceptions.”
“None of the technologies understand relationships, business changes, or critical thinking. The Human factor will always be there. You will never set it and forget it.”
“Everything IT serves the business and is not just an IT risk.”
“In 10 years, computers will do all of this and humans won’t be needed.”
Recent Conferences
© 2016 All Rights Reserved Brown Smith Wallace LLP
22
“Analytics should be used to add, drop, and accelerate audits in the audit plan. It should not be a document updated yearly.”
“Coordination between Compliance and Internal Audit to share data and coordinate schedules will increase everyone’s effectiveness.”
“Data analysis is worth the effort. So much to gain. Hang in there.”
“Every control review can have a fraud focus with data analytics and the right auditors.”
Intelligence should not be acquired just for the sake of integrating more data; the strategic focus should be on ‘acquiring intelligence with a purpose’.”
Recent Conferences
© 2016 All Rights Reserved Brown Smith Wallace LLP
Using Data Analysis to Find Fraud Indicators
© 2016 All Rights Reserved 23 Brown Smith Wallace LLP
24
• First Thing!
• Various standard steps to understand a file
• Experience Hours Reputation
Client Logo
Data Integrity Verification
© 2016 All Rights Reserved Brown Smith Wallace LLP
25
Main Categories• Statistics• Counts• Totals• Blanks• Classifies• Duplicates• Gaps• Logical Relationships
Client Logo
Data Integrity Verification
© 2016 All Rights Reserved Brown Smith Wallace LLP
26
Ghost Employee red flags
• Duplicate addresses, routing numbers, SSNs• Employee record has been accessed/edited by one person • HR compared v. Payroll v. other systems • No withholdings or deductions • No vacation or sick time• No overtime for hourly• Blank fields• PO Box
Client Logo
Payroll
© 2016 All Rights Reserved Brown Smith Wallace LLP
27
Payment Red Flags
• Frequent changes to bank numbers• Terminated employees with current pay• Employees with multiple bank accounts• Bank accounts with multiple employees• Excessive Overtime
Client Logo
Payroll Continued
© 2016 All Rights Reserved Brown Smith Wallace LLP
28
Process Red Flags
• Segregation of duties • Date Comparisons• Quantity Comparisons• Amount Comparison
Client Logo
Accounts Payable
© 2016 All Rights Reserved Brown Smith Wallace LLP
29
Employee / Vendor Red Flags
• Same name • Matching addresses or
routing numbers• Last name or Initials as part
of vendor name• Disclosure and emergency
contact comparison
Client Logo
AP Continued
© 2016 All Rights Reserved Brown Smith Wallace LLP
30
Vendor Red Flags
• Same vendor with different vendor number • Vendor type does not match vendor spend• Vendor type does not match purchaser• Frequent or Inappropriate changes• Inactive vendor with activity• Unusual payment terms• PO Box or no address• One-time vendors
Client Logo
AP Continued
© 2016 All Rights Reserved Brown Smith Wallace LLP
31
Payable Red Flags
• Frequent or Inappropriate changes• Single payment run• Payment runs at unusual times• Checks to different address than master• Invoice and check sequence
Client Logo
AP Continued
© 2016 All Rights Reserved Brown Smith Wallace LLP
32
Duplicate Red Flags
Same expense reimbursed more than once • Identify employees that report expenses for the same
transaction dates on multiple expense reports. This makes duplication harder to identify.
• Look at transactions not paid via company card, could also be duplicate of card transaction (same date, transaction amount, and vendor/expense type).
• Identify same transaction reported on different individuals’ expense reports.
Client Logo
Travel & Entertainment
© 2016 All Rights Reserved Brown Smith Wallace LLP
33
Other Red Flags• Unexpected dates, vendor names, individual names, or
keywords• Round dollars (gift cards, cash)• Employees who have more than the average quantity or
amount of transactions in higher risk or specific expense categories.
• Identify expenses with unusual Merchant Category Codes
(MCC) based on company policy or transaction type selected by the employee.• Spending zip code
Client Logo
T & E Continued
© 2016 All Rights Reserved Brown Smith Wallace LLP
34
Other Red Flags
• Weekends or holidays• Declined or disputed transactions• Large transactions• Active cards v. current employee• Approval workflow• Missing receipts
Client Logo
P-Card
© 2016 All Rights Reserved Brown Smith Wallace LLP
35
Foreign Corrupt Practices Act
• It is unlawful to make a corrupt payment to a foreign official for the purpose of influencing the official in order to assist in obtaining/retaining business
• Companies who file reports with the SEC must maintain records that accurately reflect transactions and the nature and quantity of corporate assets and liabilities
• Yates memo made it personal• Lower fines by making corruption as
difficult to perpetrate as you can
Client Logo
FCPA
© 2016 All Rights Reserved Brown Smith Wallace LLP
36
Other Red Flags
• Names and addresses on the SAM list, etc.• Keyword search in payables, general ledger, P-Cards, T&E• Journal entries with unexpected account combinations of
accounts (e.g. debit to sales/credit to cash)• Analyze sales and commission information • Identify payroll, travel advances, or travel reimbursements to non-employee• Test currency exchange expectations• Purchasing costs
Client Logo
FCPA
© 2016 All Rights Reserved Brown Smith Wallace LLP
EXERCISE
© 2016 All Rights Reserved 37 Brown Smith Wallace LLP
38
What data analysis procedures can we utilize to help identify a fraud where
employees create approximately 2 million fake bank/credit card accounts?
Client Logo
Question???
© 2016 All Rights Reserved Brown Smith Wallace LLP
39
Employees/Managers/Locations Who• Consistently meet or beat performance quotas• Have more than average number of accounts that have not been
accessed by account holder (activity files exist for everything)• Have more than average number of accounts opened without
customer service interaction (in person, phone, app, online is traced)• Have more than average number of accounts closed within # days of
opening• Have more than average number of accounts opened for the same
customer within # of days• Have complaints against them (textual analysis of complaint tracking
system)Challenges
• What about the really good salesperson?• No complaints, surely has a bad month,
• Widespread could cause averages to be skewed
Client Logo
Audience Participation
© 2016 All Rights Reserved Brown Smith Wallace LLP
40
• Fraud is not going away and we need to devise better methods to prevent and detect it as early as possible.
• The new COSO Fraud Risk Management Guide encourages the use of data analytics.
• Data analysis is a great preventative and detective control for fraud.
• If people think you are watching, they are less likely to try to commit fraud
• Payroll, P2P, T&E, and FCPA are great places to start• Hindsight is 20/20, but it can be applied to the future.
Client Logo
In Summary
© 2016 All Rights Reserved Brown Smith Wallace LLP
41
Any Questions?Ron Steinkamp | rsteinkamp@bswllc.com | 314-983-1238
Joe Montes | jmontes@bswllc.com | 314-983-1380
A Measurable Difference
© 2016 All Rights Reserved Brown Smith Wallace LLP
6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000
2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100 1.888.279.2792 │ bswllc.com
Brown Smith Wallace is a Missouri Limited Liability Partnership
top related