Upload
danghuong
View
223
Download
0
Embed Size (px)
Citation preview
Using Technology to Automate
Fraud Detection Within Key
Business Process Areas
2013 ACFE Canadian Fraud Conference
September 10, 2013
John Verver, CA, CISA, CMA
Vice President, Strategy
ACL Services Ltd
2 © ACL Services Ltd. ACL | Transforming Audit and Risk
Topics
Fraud detection and integrated audit, risk management and compliance
Role of data analysis technology in fraud detection
Automation of fraud detection analytics and continuous monitoring
Practical steps for implementation
Examples of fraud tests for key business process areas
3 © ACL Services Ltd. ACL | Transforming Audit and Risk
Integrated Audit, Risk Management, and
Compliance
Enterprise Risk Management gaining momentum
Fraud a key focus area for risk management and control
Increasing trend toward continuous risk and control assessment
Technology is critical but underutilized
“Data driven” risk management, control, and compliance
4 © ACL Services Ltd. ACL | Transforming Audit and Risk
Technology and Fraud Detection
Surveys by IIA, Big 4, and ACL
Technology: a critical factor for successful performance in risk
management, audit, and fraud detection
Data analysis is the technology expected to have the greatest
impact on effectiveness and productivity.
5 © ACL Services Ltd. ACL | Transforming Audit and Risk
Fraud and Risk Management
ACL’s 2013 Survey of 2,200 audit, risk management, and
compliance professionals
Internal fraud and abuse area of highest concern
6 © ACL Services Ltd. ACL | Transforming Audit and Risk
Decide on Strategic Approach
Integrate fraud-detection analytical testing into those of overall
risk management and control?
Automated fraud detection as a standalone function?
7 © ACL Services Ltd. ACL | Transforming Audit and Risk
Fundamentals of technology for fraud
detection
Analyze 100% populations of transactional data (plus master
data and application control settings)
Identify indicators of fraudulent activities
Overall statistical analysis to indicate anomalies (“don’t know
what you don’t know”)
Specific analysis to identify specific circumstances that indicate
a high probability of fraud
Compare data across different databases and systems
Generate “exceptions”—suspect items for review and
investigation
8 © ACL Services Ltd. ACL | Transforming Audit and Risk
Capabilities of data analysis
technologies for fraud detection
Pre-built analytic routines
– classification, stratification, duplicate testing, aging, join, match, compare,
statistical analysis, digital analysis (Benford)
Flexibility to support full automation and complex tests
Automated logging
Ability to access and manipulate a broad range of data
Scheduled automatic processing
Security
Workflow and exception management
Dashboard reporting
9 © ACL Services Ltd. ACL | Transforming Audit and Risk
Continuous Monitoring Model
Access transactional data from disparate sources
Controls & Compliance Rules
Historical and statistical
transactional profiling
Significant Control Breaches
Suspect Transactions
Transactional Data
Data Data Data
Alerts
Findings
Financial & Business Unit Managers & Audit
Management & Audit Action
Immediate notification
of critical exposures
Transactions detailed
for further analysis
Investigations, recoveries, and
improved controls and
procedures
Test transactional data against established internal control
rules and transactional profiles
10 © ACL Services Ltd. ACL | Transforming Audit and Risk
Audit Analytic Capability Model
Sophistication
Aud
it C
ontr
ibut
ion
Hindsight
Insight
Foresight
Level 4
Automated
Level 5
Monitoring
ad hoc repetitive continuous
Level 3
Managed
Level 2
Applied
Level 1
Basic
11 © ACL Services Ltd. ACL | Transforming Audit and Risk
Audit Analytic Capability Model
Sophistication
Aud
it C
ontr
ibut
ion
Hindsight
Insight
Foresight
Level 4
Automated
Level 5
Monitoring
ad hoc repetitive continuous
Level 3
Managed
Level 2
Applied
Level 1
Basic
Ad Hoc 67%
Automated
Repeatable 22%
Continuous 11%
Survey responses: Level of current audit analytics usage
12 © ACL Services Ltd. ACL | Transforming Audit and Risk
Audit Analytic Capability Model
Sophistication
Aud
it C
ontr
ibut
ion
Hindsight
Insight
Foresight
Level 4
Automated
Level 5
Monitoring
ad hoc repetitive continuous
Level 3
Managed
Level 2
Applied
Level 1
Basic
0%
Survey responses: Level of highest desired analytics usage
0%
30%
3%
67%
13 © ACL Services Ltd. ACL | Transforming Audit and Risk
Continuous Monitoring for Fraud
Detection
Timely repeated processing of tests against recent transactions
Provides timely insight and reduces risk of fraud escalation
Actual timing varies according to cycles of the underlying
process
Technically, progression from ad-hoc test processing to
continuous monitoring is not usually complex
Critical issues to address are people and process
14 © ACL Services Ltd. ACL | Transforming Audit and Risk
Implementation steps for effective and
sustainable fraud detection (1)
Define overall objectives, including decision on fraud detection
as part of an overall risk management and control testing vs.
standalone function
Assign roles and responsibilities
Define fraud risks to be tested—“fraud risk universe”
For each fraud risk, establish data analysis fraud detection test
in terms of:
– data requirements
– data access processes
– analysis logic
15 © ACL Services Ltd. ACL | Transforming Audit and Risk
Implementation steps for effective and
sustainable fraud detection (2)
Coordinate with IT department
Develop tests
Validate tests
Establish timing and responsibilities for automated test
processing
Establish workflow and responsibilities for exception
management and resolution
Implement reporting processes
16 © ACL Services Ltd. ACL | Transforming Audit and Risk
Fraud tests for key business process
areas
Start with core set of basic tests for a business process area
Progressively build and implement a broader “library” of tests
for different business process areas
In practice, organizations may establish large libraries of tests
over a period of time
Fraud specialist or auditor is often in best position to
understand specific fraud risks in given business process
Develop analytics to reflect
1. known risks
2. potential risks in circumstances that are not likely to be foreseen
(DKWYDK)
17 © ACL Services Ltd. ACL | Transforming Audit and Risk
Examples of fraud tests for Purchase to
Pay (1)
P.O. with blank / zero amount
Split P.O.s (multiple under approval threshold)
Duplicate invoices (same #, same amount same date, same
vendor same amount)
Invoice amount paid > goods received
Invoices with no matching receiving report
Multiple invoices for same P.O. and date
Pattern of sequential invoices from a vendor
18 © ACL Services Ltd. ACL | Transforming Audit and Risk
Examples of fraud tests for Purchase to
Pay (2)
Unapproved vendors
Suspect purchases of consumer items
Employee and vendor with same:
– Name
– Address
– Phone number
– Bank account number
Vendor address is a mail drop
Payment without invoice
Vendor master—changes for brief periods
19 © ACL Services Ltd. ACL | Transforming Audit and Risk
Examples of fraud tests for Procurement
Cards
Purchases of consumer items
Suspect vendors
Prohibited merchant codes
Transactions made on weekends or holidays
Split transactions (multiple items under threshold)
Duplicate purchases (same item multiple employees)
20 © ACL Services Ltd. ACL | Transforming Audit and Risk
Examples of fraud tests for Order to
Cash
Unusually high sales discounts
Unusually high credit terms or limits
Frequent credit memos to the same customer
Shipments where employee address matches the ship address
21 © ACL Services Ltd. ACL | Transforming Audit and Risk
Examples of fraud tests for Payroll /HR
Terminated employees still on payroll
Multiple employees with same address
Unusually high O/T amounts and rates
Invalid SSNs
Unusually high commissions
22 © ACL Services Ltd. ACL | Transforming Audit and Risk
Examples of fraud tests
More information on fraud tests by business process and
industry is available on www.acl.com
Other resources include:
– TBD
23 © ACL Services Ltd. ACL | Transforming Audit and Risk
Best Practices for Integrated Fraud Detection
An integrated approach for technology in Audit, Risk,
and Control
Technology and data analysis as an integral part of risk and
control strategy, including fraud detection
Risk and controls management systems in place
CA and CM in operation
Risk and controls management systems integrate with fraud
detection objectives and audit risk assessment and planning
“Data Driven Risk Management”
“Data Driven Fraud Detection”
24 © ACL Services Ltd. ACL | Transforming Audit and Risk
Los Angeles Unified School District—Belmont
Learning Center
Data analysis use resulted in the identification of fraud and
abuse in excess of $70 million Fictitious vendors
Duplicate payments
Overbilling
No competitive bidding
Policy violations Exceeding purchasing limits
Improper coding
Some Real World Case Studies
25 © ACL Services Ltd. ACL | Transforming Audit and Risk
U.S. government agency
– $6.5 billion in annual procurement card purchases
Situation
– Millions of transactions occur each year
– Management oversight limited due to large number of
direct reports
– Organization encouraged to spend more using P-cards
due to rebate program
– Bad publicity resulted in more oversight from Congress
Some Real World Case Studies
26 © ACL Services Ltd. ACL | Transforming Audit and Risk
U.S. government agency
– $6.5 billion in annual procurement card purchases
Approach
– Used data analysis to monitor 12 million transactions
– 38 indicators of inappropriate transactions established
and compared to actual data
– Data from disparate sources integrated including
employee listings, authorizations, merchant
restrictions, credit limits
Some Real World Case Studies
27 © ACL Services Ltd. ACL | Transforming Audit and Risk
U.S. government agency
– $6.5 billion in annual procurement card purchases
Result
– Identified $38 Million in suspect transactions (13,500
transactions or 0.001%)
– 2,000 cardholders flagged for further investigation
– Created timely and cost-effective reporting system to
follow-up with vendors and banks in subsequent
recovery process
Some Real World Case Studies
28 © ACL Services Ltd. ACL | Transforming Audit and Risk
For more information
John Verver
Vice President, Strategy
ACL Services
www.acl.com
Tel. (604) 646 4230