Using ACL to Detect Fraud
Our program will begin at 1 PM ET, please stand by during the silence
Connect to the audio feed.
Two options – your choice
Telephone – Toll Free US/Canada number
• Call-in toll-free number (US/Canada) 866-699-3239
• Call-in toll number (US/Canada) 1-408-792-6300
• Meeting Number: 759 543 306
Through your computer (Audio Broadcast)
• On the menu bar, choose Communicate > Join Audio Broadcast.
• Your Audio broadcast panel appears.
1
Using ACL to Detect
Fraud
Yosef Levine
Audit Senior Manager, Deloitte & Touche LLP
Toby Bishop
Director, Deloitte Forensic Center, Deloitte Financial Advisory Services LLP
October 2, 2008
2
1
Welcome to Today’s Webinar!
Before we begin:
Our Panel
CPE Requirements
Submit your questions
A Quick Poll
Copyright © 2008 Deloitte Development LLC. All rights reserved.
3
Our Panel
Yosef Levine, CPA
Toby J. F. Bishop,
Audit Senior Manager
Deloitte & Touche LLP
[email protected]
(212) 436-6442
CPA, CFE, FCA
Director
Deloitte Forensic Center
Deloitte Financial Advisory
Services LLP
[email protected]
(312) 486-5636
Copyright © 2008 Deloitte Development LLC. All rights reserved.
4
2
CPE Requirements
• Only registered participants will be eligible to receive CPE credit.
• A series of polling questions will be posed.
• You must respond to 70% of the polling questions to receive credit.
• Be sure to click the submit button.
• Must view the entire webinar. Early departure might result in decreased CPE
award.
• An evaluation will appear when you exit the webinar, your feedback is
important to us.
• NO CPE is available for the recorded version of this webinar.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
5
Submit Questions to Panelists
Live viewing audience:
– To submit a question, type the question into the Q & A panel section.
– If your question is to a specific panelist please state the panelist in your question.
– Select the “Send” button
Please use the chat feature only for technical assistance or call Webex technical support at 1-866229-3239 (US and Canada Toll-Free)
+1-408-435-7088 (International Toll)
Copyright © 2008 Deloitte Development LLC. All rights reserved.
6
3
Demographic Polling
How many viewers are watching the webinar at your
location?
a) 1 - I am the only viewer
b) 2 to 4 viewers
c) 5 to 7 viewers
d) 8 to 10 viewers
e) More than 10 viewers
Copyright © 2008 Deloitte Development LLC. All rights reserved.
7
Objectives
• Understand how to efficiently and
effectively use ACL as part of your efforts to
detect fraud
• Describe the essential steps required for a
successful data preparation process
• Identify the common pitfalls when using
ACL for fraud detection
Copyright © 2008 Deloitte Development LLC. All rights reserved.
8
4
The Internal Auditor’s Toolbox
•
•
•
•
•
•
•
Business Knowledge
Accounting
Internal Controls
Information Systems
Policies & Procedures
Interviewing Skills
CAATs (ACL)
Copyright © 2008 Deloitte Development LLC. All rights reserved.
9
Polling Question #1
How long have you used ACL specifically to
help in the detection of fraud?
a)
b)
c)
d)
e)
Not at all
Less than one year
One to two years
Two to five years
More than five years
Copyright © 2008 Deloitte Development LLC. All rights reserved.
10
5
Weaknesses of Traditional IA Techniques
• The audit plan
– Static document
• Planning phase
– Auditee has time to create/alter evidence
– Selections made from potentially incomplete data
– Sample selection process
• Fieldwork
– Inadequate time to follow-up on anomalies
– Extent of testing
– Not designed to detect patterns
– System interfaces not in scope
Copyright © 2008 Deloitte Development LLC. All rights reserved.
11
Polling Question #2
To what extent do you incorporate ACL in your
internal audits?
a) For some repetitive audits (e.g., T&E)
b) In the scoping of all audits
c) To determine which locations/departments to include
in the audit plan
d) All of the above
e) Not at all
Copyright © 2008 Deloitte Development LLC. All rights reserved.
12
6
Benefits of Analyzing Data with ACL
• Analyze the full population of transactions instead
of a traditional sampling approach.
• Identify hidden relationships between people,
organizations and events.
• Identify potentially improper or fraudulent
transactions.
• Test internal controls effectiveness.
• Data integrity preserved.
• Perform proactive instead of reactive audits.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
13
Polling Question #3
Which of the following tools does your organization
use most frequently to extract and analyze data?
a) Data Analysis tools (ACL, IDEA, SAS, Monarch)
b) Spreadsheets (Excel)
c) Database systems (Access, PeopleSoft, SAP,
Oracle)
d) Internally developed software
e) Other
Copyright © 2008 Deloitte Development LLC. All rights reserved.
14
7
The ACL Roadblocks
What can make the technical aspects of getting
data for fraud analyses more difficult?
•
•
You do not know how to request data.
The data you receive is in a format you are
unfamiliar with and you cannot seem to make it
work in ACL.
Absent the above, using ACL is easy and
straightforward.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
15
Key Tips on Requesting Data Files
• Know your audience (the Controller), use
wording to match their background and
knowledge.
• Use existing reports as references.
• Be particular about the cutoff or as-of
date of the data, and required data
fields.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
16
8
Organizational IT System
A properly planned data analysis project
begins with a full understanding of an
entity’s IT system.
•
•
•
•
Legal, Financial, & Geographical Entity
GL System, Sub-system, & Interfaces
Key Client Personnel
Internal vs. External
Copyright © 2008 Deloitte Development LLC. All rights reserved.
17
The 3 Phases of Data Analysis
• Phase 1
Planning and Acquiring Data
• Phase 2
Accessing and Verifying Data
• Phase 3
Analyzing Data and Reporting
Copyright © 2008 Deloitte Development LLC. All rights reserved.
18
9
The 3 Phases of Data Analysis
• Phase 1: Planning and Acquiring Data
• Determine audit objectives for each audit section.
• Determine what reports, schedules, etc. would be
needed in order to accomplish audit objectives
manually.
• Specifically identify exactly which reports are
needed in electronic format.
• Use of test data is beneficial for large scale
projects.
• Prepare request to receive electronic data. Make
sure request contains proper cutoff data and data
field types.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
19
The 3 Phases of Data Analysis
• Phase 2: Accessing and Verifying Data
• Receive data file, control totals, and record
layout.
• Review data received and discuss differences
as needed.
• Import data files, define fields, verify, and
reconcile data to provided entity records.
• Report back differences in control totals or
fields deviating from initial request.
• Re-request data as needed and re-perform
steps above as needed.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
20
10
The 3 Phases of Data Analysis
• Phase 2: Accessing and Verifying Data
• ACL has tools to define report files, and many
different data type files automatically.
• If loading data from ODBC compatible databases,
re-use the import statements. Also possible with
Excel and delimited files. Include these
statements in scripts and add variables to input
the file and field names.
• Request the data using standard formats like
DBF, text (delimited or fixed record length). In that
case you can re-link the format to new files.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
21
The 3 Phases of Data Analysis
Copyright © 2008 Deloitte Development LLC. All rights reserved.
22
11
The 3 Phases of Data Analysis
Copyright © 2008 Deloitte Development LLC. All rights reserved.
23
The 3 Phases of Data Analysis
• Phase 3: Analyzing Data and Reporting
• Trace numerical totals to GL or other summarized
data to assist in verifying completeness.
• Perform procedures based on objectives defined in
Phase 1.
• Review results and obtain explanations and/or
corroborating evidence for exceptions.
• Perform follow-up procedures based on new or
additional data.
• Document findings and obtain related data projects
and logs for future reference.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
24
12
The 3 Phases of Data Analysis
• Phase 3: Analyzing Data and Reporting
• Use ACL commands like STATISTICS,
VERIFY, SUMMARIZE, JOIN, RELATE in
order to process data.
• When using scripts, include commands
instead of using logic to perform the same
function.
• Use macro-substitution to update thresholds,
and DIALOG boxes to enter parameters into
the scripts.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
25
Polling Question #4
Do you have a fraud program that incorporates
CAATs (ACL or any data analysis tool) as part of
your standard process?
a) Yes
b) No
c) Don’t know
Copyright © 2008 Deloitte Development LLC. All rights reserved.
26
13
Areas Where ACL is Commonly Used
•
•
•
•
•
•
•
•
•
•
Improve Data Quality
Journal Entries (SAS 99)
Accounts Receivable
Inventory
Investments
Expenses
Revenues
PP&E
Payroll
Accounts Payable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
27
Improve Data Quality
Identify data quality anomalies like:
•
Records with blank fields
•
Invalid address and phone data
•
Invalid SSN for employees
•
Invalid bank account for employees
•
Invalid characters in description fields
•
Future dates that are not expected (hire date, promotion
date…)
•
Invalid dates
Data quality anomalies make fraud more difficult
to detect!
Copyright © 2008 Deloitte Development LLC. All rights reserved.
28
14
Journal Entries
Statement on Auditing Standards (SAS) 99, Consideration of
Fraud in a Financial Statement Audit
Requires the external auditor to
examine journal entries and other
adjustments for evidence of possible
material misstatement due to fraud.
Specifically states that “the auditor’s
procedures should include selecting
from the general ledger journal
entries to be tested and examining
support for those items.”
Internal auditors can also test journal
entries
Copyright © 2008 Deloitte Development LLC. All rights reserved.
29
Journal Entries
Data Quality Checks
Weekend/Non Business Hours Test
Individuals who typically do not make entries
Words Test
Round Values Test
Duplicates Test
Dates Analysis (Posted vs. Effective)
Benford’s Analysis
Unrelated, unusual or Seldom-used Accounts
Test
Consistent Ending Numbers Test
Copyright © 2008 Deloitte Development LLC. All rights reserved.
30
15
Journal Entries
Copyright © 2008 Deloitte Development LLC. All rights reserved.
31
Journal Entries
Copyright © 2008 Deloitte Development LLC. All rights reserved.
32
16
Some Revenue Fraud Tests
Sales posted in different periods testing
•
•
Check for significant variance in subsequent-period sales figures.
Unusual relationship between post and effective dates of journal
entries near end of period.
Bill and hold testing
Check for shipping info missing on invoices.
Check for large, numerous, or unusual sales transactions
occurring shortly before the end of the period.
• Check for excessive shipments made to warehouses rather than
to a customer’s regular address.
•
•
Channel stuffing testing
Check for increase in quantity of products shipped/sold at or near
the end of the reporting period.
• Check for significant returns after the period close.
•
Copyright © 2008 Deloitte Development LLC. All rights reserved.
33
Some Revenue Fraud Tests
Duplicate invoices testing
•
Check for invoices with same date, amount and vendor.
Fictitious shipments testing
Compare voucher or invoice amount to PO or contract
amounts.
• Identify POs without freight charges by vendor.
• Look for inventory shipped to addresses other than customer
addresses on file.
• Look for adjustments to shipping dates.
•
Dormant account analysis testing
•
Stratify and accumulate current balance amounts for accounts
with “n” months with no activity. Compare last transaction date
with current date.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
34
17
Some Payroll Fraud Tests
Ghost employees testing
Compare employee master file to payroll.
Verify SSN structure.
• Look for employees with P.O. Boxes for addresses.
• Look for employees without vacations or retentions.
• Identify different employees with the same address or
telephone number.
•
•
Work hour analysis testing
Monitor accumulated amount of hours per employee,
comparing it to a standard.
• Compare Departments – Verify employees working for
multiple departments.
•
Duplicate payments testing
•
Run duplicate tests on the payroll file by employee name or
address.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
35
Some Expense Fraud Tests
SOD – Authorizations Testing
Identify expenses, where approver and traveler are the
same person.
• Identify all expenses, with an approved status, made by
employees who are not authorized to approve.
•
Split Transactions Testing
Identify split transactions where a series of smaller
transactions exceed the expense limit.
• Check for transactions just below the expense limit.
•
Duplicate Expenses Testing
•
Check for expenses with the same date, same vendor and
same amount.
Round Dollar Amounts Testing
•
Check for expenses made with the company credit card
for round dollar amounts.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
36
18
Some Inventory/Procurement Fraud Tests
High Value Items Analysis Testing
•
Identify the items with the highest number of accumulated
quantities.
Employee Vendor Comparison Testing
Identify transactions with vendors where the employee’s last
name matches at least one word in the vendor name.
• Identify vendors operating from the same address.
• Employee Vendor Match – Address/Name.
•
Purchases just under the limit Testing
Small Dollar Transactions – To identify very small dollar
transactions that could be indicative of hacking.
• Extract transactions where the amount is below the limit
(threshold).
•
Copyright © 2008 Deloitte Development LLC. All rights reserved.
37
Some Accounts Payable Fraud Tests
• Validate vendors with external data sources.
• Identify highest/lowest dollar vendors.
• Stratify top/bottom vendors by number of invoices.
• Identify vendors with excessive credit memos.
• Identify routine payments that are not expected.
• Identify top employee expense reimbursements.
• Identify individuals with excessive authorizations of large
dollar amounts.
• Identify payments within a small dollar amount of
authorization thresholds.
• Identify payments made prior to the invoice date.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
38
19
Polling Question #5
Is your organization planning to implement a
continuous monitoring process in the near future?
a)
b)
c)
d)
e)
Yes, within 1 year
Yes, in 1 to 3 years
Yes, in 3 to 5 years
No plans
Don’t know
Copyright © 2008 Deloitte Development LLC. All rights reserved.
39
Transactional Controls & Financial Integrity
• Transactions and transactional data are
the lifeblood of an organization.
• Controls over the transactions and the data
that record them are critical.
• Financial accountability and assurance
depends on the integrity & reliability of the:
– Transactions themselves
– Data that records the transactions
– Financial reports that summarize transactional
data
Copyright © 2008 Deloitte Development LLC. All rights reserved.
40
20
Challenges of Designing and
Maintaining Effective Controls
• Cost vs. Benefit of installing new controls.
• Manual controls break down as volumes
increase.
• Automated controls within applications are
time-consuming to implement; expensive,
difficult to maintain.
• New system implementations often disregard
audit and internal control experts.
• Super users and system administrators
can bypass controls.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
41
Internal Audit and Continuous
Transaction Monitoring
Continuous Monitoring provides an
independent mechanism to automatically
monitor internal control effectiveness,
Benefits
•
•
•
•
•
•
Independent testing of controls.
Timely notification to management of controls breakdown.
Improved fraud detection and improved risk management.
Improvements to efficiency and effectiveness.
Extensibility to multiple end-to-end business processes.
Sustainable compliance.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
42
21
Continuous Transaction Monitoring
Process
• Take the analytical procedures performed during the
occasional or historical audit process.
• Add additional sophisticated procedures if required.
• Embed them in a regular operational monitoring process
for all transactional data.
• Test transactional data against defined control parameters
/rules.
• Run automatically on a regular basis – daily, weekly or more
frequently.
• Automatically generate exception reports/alerts.
• Provide management insight into results.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
43
Continuous Transaction Monitoring Process
Provides visibility into
controls health to all
stakeholders
Presents quantified
control exceptions
Applies automated tests
to critical control points
Review 100% of
transactions across all
systems & platforms
Copyright © 2008 Deloitte Development LLC. All rights reserved.
44
22
Question and Answer Period
Live viewing audience:
– To submit a question, type the question into the Q & A panel section.
– If your question is to a specific panelist please state the panelist in your
question.
– Select the “Send” button
Copyright © 2008 Deloitte Development LLC. All rights reserved.
45
Contact Information
Yosef Levine
Audit Senior Manager
Deloitte & Touche LLP
+1 212 436 6442
[email protected]
Toby Bishop
Director, Deloitte Forensic Center
Deloitte Financial Advisory Services LLP
+1 312 486 5636
[email protected]
Copyright © 2008 Deloitte Development LLC. All rights reserved.
46
23
Webinar Evaluation
Please take a moment to complete the webinar evaluation, which will appear in
a separate pop-up window when you exit the webinar.
We appreciate your feedback.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
47
CPE Certificate
Registered participants who have met the CPE requirements will access their
certificate from the “Completed Courses” page in The IIA’s online learning
system, GEAR.
Certificates will be available for download in approximately one week.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
48
24
Thank you for participating!
Please join us for The IIA’s
upcoming webinars:
Date
Topic
Type
Notes
October 14
Energizing Internal Audit in
Changing Workforce
IIA
Live NASBA CPE
CPE available for Playback
(non-NASBA)
October 23
IT Governance
IT Hot
Topic
Live CPE only; Presented
in association with Deloitte
October 28
Convergence Killers and the
Role of Internal Auditors
IIA
Live NASBA CPE
CPE available for Playback
(non-NASBA)
October 30
Financial Statement Fraud:
Considerations for Internal
Auditors
Fraud
Hot
Topic
Live CPE only; Presented
in association with Deloitte
Copyright © 2008 Deloitte Development LLC. All rights reserved.
49
The information contained in this publication is for general
purposes only and is not intended, and should not be
construed, as legal, accounting, or tax advice or opinion
provided by Deloitte to the reader. This material may not be
applicable or suitable for, the reader’s specific circumstances
of needs. Therefore, the information should not be used as a
substitute for consultation with professional accounting, tax, or
other competent advisors. Please contact a local Deloitte
professional before taking any action based upon this
information.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
50
25
About Deloitte
As used in this document, “Deloitte” means Deloitte & Touche
LLP, a subsidiary of Deloitte LLP. Please see
www.deloitte.com/us/about for a detailed description of the
legal structure of Deloitte LLP and its subsidiaries.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
51
A member firm of
Deloitte Touche Tohmatsu
Copyright © 2008 Deloitte Development LLC. All rights reserved.
52
26