By Peter Goldmann, CFE
Data analytics -- the practice of assessing bodies of business data to identify potential indicators of fraud -- is slowly, but surely, becoming a mainstay of the fraud fighter’s professional repertoire.
Books, articles and white papers have been published about the virtues of using computers to manipulate data to ramp up the task of locating smoking guns in fraud cases. Yet, according to recent indicators, large segments of the anti-fraud community have yet to incorporate these automated tools into their fraud audit and detection practices.
A recent survey by the Web portal, AuditNet.org, illustrates this point: AuditNet asked internal auditors whether their organizations owned data analysis software and had a defined strategy for using it for all audits (including fraud audits). The largest response came from those who said they do not use data analysis technology (approximately 30 percent) to detect or investigate fraud.
Another 23 percent of auditors said they determine on a case-by-case basis when to employ data analysis but do not appear to have a defined strategy. Only 16 percent of those who use data analysis software indicated that they do have a defined strategy for using it to perform audits.
The software most widely used for detecting and investigating fraud includes ACL, IDEA, Excel, Access and ActiveData (an Excel add in). Following is a chart showing the responses:
Important: Anti-fraud professionals predict that the trend toward adoption of these powerful tools will gradually gain momentum and eventually become a key part of auditors’ standard toolkit of techniques, tests and methodologies.
This is partly due to the fact that the professional standards relating to the auditor’s responsibility for detecting and preventing fraud changed in 2009 when the Institute of Internal Auditors (IIA) updated the International Professional Practices Framework (IPPF).
Auditors must now consider fraud risks and red flags as part of planning audits. In conjunction with these changes, the IIA released Practice Guides for Internal Auditing and Fraud, Fraud Prevention and Detection in an Automated World (GTAG 13) and Data Analysis Technologies (GTAG 16).
According to GTAG 13: “Data analysis technology enables auditors and other fraud examiners to analyze transactional data to obtain insights into the operating effectiveness of internal controls and to identify indicators of fraud risk or actual fraudulent activities.”
Furthermore, ISACA (formerly known as the Information Systems Audit and Control Association) -- a 95,000-member trade association for IT auditors -- recently published an informative white paper entitled “Data Analytics -- a Practical Approach.” In it, the authors state that “few would argue that an enterprise’s data are among its most valuable assets.
“Yet, without a way to obtain, cleanse, organize and evaluate the data, the enterprise is left with a vast, chaotic pool of ones and zeroes. Data analytics (DA) coaxes order from the chaos. It helps explain patterns, which in turn help the enterprise identify… problems before they spiral out of control. DA can be relatively simple, but it can also be extraordinarily complex. Its results can be used to identify areas of key risk, fraud, errors or misuse; improve business efficiencies; verify process effectiveness; and even influence business decisions.”
Most audit professionals and fraud examiners are aware of the ACFE’s “Report to the Nations” survey covering how frauds are detected, who commits fraud and the types of frauds perpetrated. The ACFE survey found that more than 40 percent of reported frauds are uncovered by tips. The report does not include questions relating to the use of technology in uncovering frauds.
Interestingly, though, a recently published report by the Australia-New Zealand arm of KPMG, entitled “Fraud and Misconduct Survey 2010 for Australia and New Zealand,” found that “conducting pro-active data analysis is the most widely implemented fraud detection strategy in those two countries” (emphasis added).
Specifically, 20 percent of organizations surveyed indicated that they had put data analysis procedures in place within the last two years and nearly one-half (47 percent) had such practices in place for more than two years.
Comparable data are not available for the U.S. or Europe, raising the obvious question of whether these audit automation tools are utilized on either side of the Atlantic to any meaningful extent -- either for fraud detection specifically, or for audit in general.
Note: The Australia-New Zealand report does indicate that internal controls represent the most common way that frauds are actually detected. However, anonymous tips come in last.
Benefits of Using Data Analysis
Whether the U.S. will catch up with Australia and New Zealand in the consistent use of data analytics to detect fraud remains to be seen. However, what is certain is that the software programs currently available for streamlining the fraud-audit process are both very affordable and not that difficult to master.
There are, according to ISACA, numerous ways of applying DA to fraud detection, some being more time and money-consuming than others. However, most experts in applying DA to fraud detection agree that “the first step in detecting, investigating and auditing for fraud using data analysis is gaining access to the data,” as explained by Richard Cascarino of Richard Cascarino & Associates . And, says Cascarino, the key to doing so involves:
• Identifying your investigation objectives
• Arranging how to get the data needed (requires meeting with the data custodian (owner) and IT)
• Defining the required data parameters, including: determining data fields/files needed; formatting the files; recording layout of the file; timing the data transfer.
• Verifying the data received -- QA
Without becoming too encumbered by detail, suffice it to say that once this critical step is accomplished, the successful use of data analytics for nailing fraudsters simply requires importing the specific data needed for your fraud audit into whichever audit software tool you’ve chosen and mastering the steps required to test for red flags of virtually any type of fraud in a matter of moments. Editor's Note: Please see the ACFE seminar "Using Data Analytics to Detect Fraud" to learn more.