In our first blog in a series on fraud data analytics, we identified a ten-step methodology for conducting a fraud data analytics project. In this blog, we will discuss steps one and two.
What is the scope of the fraud data analysis plan?
· What type of fraud?
· What years?
· What data tables?
How will the fraud risk assessment impact the fraud data analytics plan?
· Listing of fraud risk statements?
· Strategy for which risk statements to include in the fraud data analytics?
The Objective and Scope of the Audit Project
All audit projects start with the objectives and scope of the audit project. The audit objective maybe to determine the adequacy and effectiveness of internal controls, integrate fraud detection into the control audit, or perform a comprehensive fraud audit. This objective determines the scope. If the audit is internal control based, then the auditor would use a control avoidance strategy. If the audit is designed to integrate fraud detection, then the fraud risk assessment would determine the scope of the audit project. In a comprehensive fraud audit, all the fraud risk statements within fraud universe would be included in the audit scope.
What Type of Fraud?
Every fraud data analytics project starts with the same question: What type of fraud is the fraud auditor searching for in their core business systems? The fraud universe provides a logical answer to defining the fraud audit scope. The big three fraud categories are asset misappropriation, corruption and financial reporting. The actual fraud universe facing every company is far more exhaustive, but for purpose of this blog, we will use the big three. Once the primary category is selected, then the secondary category must be chosen followed by the inherent schemes and eventually the fraud risk statements. My blog, ‘how to write a fraud risk statement” explains the process.
Define the Time Period
Once you have determined what type of fraud you are searching for, the next question is what time period the audit will cover. This should be driven by the primary category of fraud rather than an auditor’s preference. Will the analysis include one, two, three, four, or more than four years of data? I prefer to use full-year data sets rather than partial-year data sets for analysis. This makes it easier to compare year over year and ensures that there is enough data. The exception to that rule is investigations or specific audit tests. Generally, I suggest the following guidelines for the number of years:
Asset misappropriation: Two years of data. This is typically sufficient to see the data pattern for theft of assets. The exception is when the fraud has started at the end of the two-year period.
Corruption: Three years of data. A word of caution, unlike asset misappropriation, with corruption, it is not as easy to define the number of years. The key in corruption analysis is having sufficient data to observe a pattern or trend consistent with your corruption fraud risk statement.
Financial reporting: the year of the financial statement opinion. In financial statements audits, there may be a need to include the next year’s data up to the opinion date or use last year’s data for retrospective analysis.
What Data Tables?
The third step is to determine the primary and secondary data tables for both analysis and matching. The primary table is determined by the fraud risk statement and the purpose of the analysis. In a speed of payment test, the primary table is the invoice table and the secondary table is the payment table. The purpose of the analysis is to determine which vendors have a pattern of invoices being paid faster than company policy.
The important aspect is what I call the “predictability factor .” The fraud data analytics planning reports are designed to tell the fraud auditor at a high level of the probability that the fraud scenario is occurring in the business systems. The reports are generally not sufficiently detailed to identify a fraud scenario. The probability is based simply on the fact that transactions exist in the data set that on a high level are consistent with the fraud data profile for the scenario.
To illustrate probability concept, a ghost employees who are false and created by an internal person tend to have a high percentage of net payroll to gross payroll. One of the first fraud data analytics reports in payroll fraud audit is a comparison of gross payroll to net payroll by employee with a percentage calculation. Having a high net pay percentage is indicative of a fictitious ghost employee, a contra adjustment scheme in the deduction field, or a false adjustment scheme to net payroll.
Setting up a Fraud Risk Assessment
The fraud risk assessment is a key work paper in documenting the auditor’s judgment regarding the likelihood of a fraud risk statement occurring in a core business system. The document provides a listing of fraud risk statements, internal controls and assessment of likelihood of fraud and the impact. The final question in the fraud risk assessment is determining the residual risk facing the organization. So, how does this document help the auditor in building a fraud data analytics plan?
The proverbial million-dollar question is: “Which fraud risk statements should I include in my plan” or stated another way, “Which fraud data analytics search routines should I use?” The risk assessment helps in this aspect through the analysis of inherent fraud risk or residual fraud risk.
Depending on the purpose of the audit or the applicable audit standards, the fraud risk assessment will provide the auditor with the answer to that million-dollar question.
The audit objective is the starting point for determining which fraud risk statements should be included in your plan. As a guideline, in a control-based approach, the overall fraud risk or residual risk would assist in the determination. In a fraud-based approach, inherent fraud risk or auditor judgment would point the auditor in the right direction. Other strategies are fraud risk statements common in the industry, reacting to a high- profile fraud in a company in the same industry, or simply chief auditor judgment.
To be honest, in one sense, there really is no way to know which fraud risk statements might be occurring because it assumes the fraud auditor knows what fraud scenario someone might be committing. In reality, we search for patterns commonly associated with a fraud scenario or we search for all the logical fraud scenario permutations associated with the applicable business system. In truth, real fraud data analytics is exhausting work. However, please understand that sound and thoughtful planning will provide the fraud auditor with a supportable best guess.