Dr. Kishore Singh & Prof. Peter Best Department of Accounting,...

Dr.KishoreSingh&Prof. PeterBestDepartmentofAccounting,Finance&Economics

GriffithUniversity

Introduction� ModernERPsystemsrecordseveralthousandsoftransactionsdaily

� Difficulttofindafewinstancesofanomalousactivitiesamonglegitimatetransactions

� CA/CMsystemsperformsubstantialanalytics,butmayproducelengthyreportsà informationoverload

� Approachesthatreducetheburdenofexcessiveinformationaremorelikelytocontributetotheoveralleffectivenessoftheauditprocess

� Weaddressthisissuebydemonstratingtheuseofvisualization topresentinformationgraphically

Visualization� Anytechnologythatenableusersto'see'information-helpsthembetterunderstandandputitintoanappropriatecontext

� Patterns,trendsandcorrelationsthatmaygoundetectedintext-baseddataà exposedandrecognisedwithlesseffort.

� Highvolumedata- visualizedasacollectionofpointsintwo-dimensionalspace

FrameworkforResearch� Thevisualizationsdevelopedinthispaperarebasedonnode-linkdiagrams

� Eachnodeisshownasapoint,circle,polygon,orsomeothergraphicalobject,andeachedgeisshownasalineorcurveconnectingthetwonodes

� Nodesareplacesintwo-dimensionalspace,andedgesrepresentrelationshipsbetweenthenodes

� Whynode-linkdiagrams?Theysimplifyidentificationofrelationships

� Goal- createarepresentationthatmakesunderlyingdataunderstandableandvisuallyappealing

AnomalyDetectioninAccountsPayable� Keymethodstodetect

� violationsinsegregationofduties� knownfraudschemes

� Wefocusontheformer

� ACFE(2014)- keyindicatorsforfraudsarelackofinternalcontrolsoranabilitytooverrideexistinginternalcontrols

� E.g.- toperpetrateavendorfraudanemployee- createsshellcompanyandsubmitfictitiousinvoicesforpayment

� Tosuccessfullyperpetratethisschemerequiresviolationofsegregationofdutiesbycreating(ormodifying)vendormasterrecords,andenteringinvoicesforpayment

Question1� Whattypesofvisualizationsmayassistauditorsindiscoveringpotentialanomaliesinaccountspayabletransactiondata?

� LittleandBest(2003)proposedthefollowingtwoseparationofdutiesprinciplesforaccountspayable� separationofmasterrecordmaintenancefromtransactionentry� separationofpaymentsandchequeentryfrominvoicedataentry

� Motivation- usersthathavetheseauthorizationsarecapableofcreatingshellcompaniesandpayingfictitiousinvoiceswithoutbeingdetected.

VisualizationstoDetectAPFraud� Thefollowingnode-linkvisualizationsareproducedinthisstudytodetectviolations inSoDs:

� Usersperformingvendormaintenance,enteringinvoiceandprocessingpayments

� Usersperformingvendormaintenanceandprocessingpayments� Usersperformingvendormaintenanceandenteringinvoices� Usersenteringinvoicesandprocessingpayments

SpecialCase� Modifyexistinglegitimatevendor– changevendorsbankingdetailstemporarilytofraudulentaccount,processpayment,revertvendorsbankingdetailstotheoriginalvalues(flipping)

Visualizationstodetectspecialcase� Vendorssharingbankaccounts– ifanemployeesetsupshellcompanyto

perpetratevendorfraudanduseacommonaccounttohavepaymentssentto,thenamongstthevisualizationofvendorbankaccounts,itwillappearthatbothalegitimatevendorandoneormoreothervendorssharedthesamebankaccountatsomepoint

� Vendorswithmultiplebankaccounts– shouldanemployeetemporarilyorpermanentlymodifyanexistinglegitimatevendorsbankingdetails(forgenuineorfraudulentreasons),thenthesechangesvisuallyappearasthoughthevendorhadmorethanonebankaccountatsomepoint

� Timelineanalysisforvendorbankaccountchanges(relatestovendorswithmultiplebankaccounts)–listoftransactionsthatareprocessedtoanyoralllistedbankaccountsthatavendorhadatsomepoint

FindingCollusion� Challenging- no“silverbullet”� Employeescolludetoovercomewell-designedinternalcontrols

� Visualizationsproducedinthisstudyhavethepotentialtohighlightsuchactivitieswhichmayassistanauditorindirectingtheirinvestigations

Question2� Howcanadatasetbeusedtodynamicallyproducevisualizationswithoutuserintervention?

� Pre-processeddataà sourcedataforvisualizations� VisualizationsproducedinGraphviz� Opensourcegraphvisualizationsoftware� UsestheDOTlanguagetodescribegraphs� InDOT- threetypesofobjects

� Graphs� Nodes� Edges

� Graphsmaybeundirectedordirected

Howdoesitwork?� SeverallayoutprogramsavailableinGraphviz� TakedescriptionsofgraphswritteninDOT(syntax),andproducediagrams

� Forexample� Thissyntax:digraphG{Hello->World}� Produces:

Question2version2� Howcanapre-processeddatasetbeusedtodynamicallycreateDOTcodewhichmaybeusedtoproducenode-linkvisualizationsinGraphviz?

� DOTissimpleyetcomplex� Severalattributesneedtobedefinedforgraphs,nodesandedges� Nodesà ellipses,boxes,recordsorplaintext(nooutline)� Nodeà polygonorrecord-based� Defaultnodelabelisitsname� Nodeandedgelabelsneedtobesetexplicitly� Multi-linelabelsarepossible� Colourattributescanbespecifiedfornodesandedges� Othercharacteristics- orientation,size,spacingandplacementareallconfigurable

DOTExample� Thisvisualizationdemonstratesrelationshipamongusersandtypesoftransactionstheyperform

� Itrequires74linesofDOTcode� MorecomplexvisualizationsmaypotentiallycontainhundredsorthousandsoflinesofDOTcodethatmayvaryfromonevisualizationtothenext

DOTCodeforExample� AsectionoftheDOTcodetoproducethepreviousvisualization

TheSolution� Graphvizcodewriter– blackboxsolution

� Requiresfiltered/pre-processeddataset� Sixstepprocess

GraphVizCodewriterprocess� Step1

� Readpre-processeddataintocodewriter� Step2

� Definetypeofgraph(e.g.directed),preconfigureattributes� Step3

� Extractallusernodesfromdatasetandpreconfiguretheirattributes(SQLSelect)

� Step4� Extractalltransactionnodesfromdatasetandpreconfigure

� Step5� Findassociationsbetweenuser andtransaction nodes,establishedges,preconfigureattributes

� Step6� ExportDOTfileforusebuylayoutprogram

ImplementationandTesting� TestedonSAPERPsystemofalargeorganization

� Theyprovidedasampleofaccountingtransactiondatawhichincludedbetween500,000and800,000individualtransactionsacrossthevariousdatatables,forasixmonthperiod

� Investigation� ViolationsinSoDs� Anomaliesrelatingtovendorbankaccounts

Usersperformingvendormaintenance,enteringinvoiceandprocessingpayments(Note:multipleedgesfromausernodetoaspecifictransactioncodenodeindicatethattheuserhasentered

thesametransactiontypeacrossmultiplecompanycodeswithintheSAPERPsystem)

Usersperformingvendormaintenanceandprocessingpayments(Note:multipleedgesfromausernodetoaspecifictransactioncodenodeindicatethattheuserhasentered

thesametransactiontypeacrossmultiplecompanycodeswithintheSAPERPsystem)

Usersperformingvendormaintenanceandenteringinvoices(Note:multipleedgesfromausernodetoaspecifictransactioncodenodeindicatethattheuserhasentered

thesametransactiontypeacrossmultiplecompanycodeswithintheSAPERPsystem)

Usersenteringinvoicesandprocessingpayments(Note:multipleedgesfromausernodetoaspecifictransactioncodenodeindicatethattheuserhasentered

thesametransactiontypeacrossmultiplecompanycodeswithintheSAPERPsystem)

Vendorssharingbankaccounts

Vendorswithmultiplebankaccounts

Timelineanalysisforvendorbankaccountchanges

Thisisapayment

Detailedactivitiesofasingleriskyuser

Targetingaspecificvendortoidentifywhichusersthathaveinteractedwiththevendor

Potentialto“see”relationshipsamongmultipleusersandcommonvendors

What’sgoingonhere?

Benford’sLaw:LawofLargeNumbers� Benford'slaw oflargenumbers,givesexpectedfrequenciesofdigitsinnumericaldata.

� Analysisofthefirsttwodigitsforvendorinvoicesrevealedlargedeviationsat11,22,27,36,45,54 and67.

� Othersmallerdeviationswerealsoobservedbutappearedinsignificant.

� 36wasselected asthiswasthelargest. Theinvestigationrevealed1217invoicetransactions,allcontaining36 asthefirsttwodigits.� Severalidentical amountsappearedtohavebeenrecordedforthesamevendors.Thesetransactionswereenteredbydifferentusers.Afollowupinvestigationwasconductedandseveralduplicateinvoiceswerediscovered.(Furtherdetailsofthisinvestigationwerenotprovidedbytheorganization).

Benford’sAnalysis

Validation� ReviewedbytheExecutiveDirector– InformationSystemsAuditofatopinternationalaccountingfirm,stated:‘…Automatedfrauddetectionsoftwarecanprovideinternalauditorswithatooltoefficientlyassessthepresenceoffraudwithinanorganization….Ingeneral,Ifoundthefunctionalityofthetooltobeuseful.TheuserinterfacewouldrequireaminimalleveloftrainingandsomelevelofunderstandingoftheSAPapplication,whichisareasonableconstraint.Thegraphsandvisualizationsclearlycommunicatedamessageforthereader.’

Feedbackfromauditingpractitioners� Feedbackfromapanelofauditingpractitionerswasverypositive.

� Theyfoundthevisualizationseasytounderstand,andusefulinaggregatinglargevolumesofdata.

� Visualizationswereseenasenablingidentificationofrelationshipsorpatternsindatathatwouldotherwisebedifficultintextualdata.

� Overall,thepanelratedthevisualizationsasinnovativeandimportanttoolsinafraudinvestigator'stoolkit

Conclusion� Newandevolvingopportunitiesforfraudsters� ThousandsoftransactionsdailygeneratethousandsoflinesofdatainERPsystem- novelapproachesrequiredtoleveragetheamountofdata

� Hiddenamonggigabytesofdatamaypossiblybefraudulenttransactions- nearimpossibletodetect.

� Forensicanalystsandauditorsseekingnewandinnovativemethodstodiscoverfraud

� Completefrauddetectionischallenging- no“silverbullet”� Visualization,whencombinedwithothermethodologies,mayimproveanauditor’sabilitytoidentifysuspiciousactivitiesnototherwiseidentifiable,andtoencouragefurtherinvestigations.

� KSingh&PBest(2016)InteractivevisualanalysisofanomalousaccountspayabletransactionsinSAPenterprisesystems.ManagerialAuditingJournal31(1),35-63

� Little,A.&Best,P.J.(2003)AframeworkforseparationofdutiesinanSAPR/3environmentManagerialAuditingJournal18(5), 419-430

� ACFE(2014)ReporttotheNationonOccupationalFraudandAbuse, http://www.acfe.com/rttn. Accessed:2June2014

References