Featured Article

Continuously Searching For Fraud: How An Internal Audit Department Maximized Its Technology

Please sign in to save this to your favorites.
Written by: Pat Ferrell, CPCU, AIC Seth Davis, CFA, CIA, CPCU
Date: March 1, 2008
read time: 16 mins
Accounting and Auditing Fraud Prevention and Deterrence Technology
At our company, we frequently discover the joys of continuous auditing. Case in point: we discovered a match on an employee's phone number with a vendor's number. We investigated and found a clear conflict of interest; the employee was steering business toward his spouse's firm. We not only addressed this impropriety but it prompted our internal audit department to work with the company's general counsel to enhance the conflict of interest disclosure process. We probably wouldn't have found the inappropriate activity without our new continuous auditing system. And the best part? It really didn't cost that much. 
 
The term "continuous auditing" can mean different things to different audit shops. Some say it's simply using computer-assisted auditing tools to extract data. Others say it's embedding an audit module into a transactional system for real-time notification of discrepancies. Advances in technology make both processes feasible and help to enhance Sarbanes-Oxley compliance. There's a wide range of time and cost involved in implementing continuous auditing. Some custom software costs tens of thousands of dollars, but our system expenses at our insurance company have been minimal and the results satisfying. The annual cost for the tool is less than one-half of one percent of the department's annual budget. The tool has helped us identify impropriety as a result of matching employee names to vendor names, employee phone numbers to vendor phone numbers, and employee addresses to vendor addresses. We'll define continuous auditing in the ways we use it and make it work. 
 
SIX STEPS TO SUCCESS 
Continuous auditing at our company involves running and reviewing extracts every month. We use ACL Network Version software with Premium Support for claims data, payment data, and journal-entry data with a primary focus on fraud. (While we've been very successful using ACL, the software company didn't influence us in any way to write this article; we believe you can be successful with other tools in the marketplace. IDEA is another popular tool for continuous auditing.) We'll show you the ways we implemented our method of continuous auditing with limited resources. Here are our six steps including lessons learned and ways we now conduct continuous auditing. 
 
Prepare Management - Audit management and your audit committee might be accustomed to following standard audit templates and delivering reports within a set time frame. So as we were planning our new approach, we explained to them that it would require some time in the initial setup to analyze our current system for deficiencies and meet with members of the IT department to learn where the data was stored and ways to extract it. (More on this later.) But we told them we'd ultimately be conducting fewer and deeper audits, and they would eventually reap the rewards of better data analysis and cost savings. We also alerted the management of the departments we'd be auditing because we would be requesting larger extracted databases than any in the in the past. 
 
After you understand your data and the new ways to extract it, you'll probably spend less time conducting another audit of the same area or one using the same data. 
 
Understand Your Controls - In the planning phase, we're required to compose a narrative, which describes a process in detail including controls and a workflow that shows in a step-by-step diagram the flow of data with an emphasis on controls. To extract data, we need to understand the process, risks, and controls. (When we begin a new audit, we typically spend six to eight weeks of planning prior to fieldwork and keep in mind that audits overlap; as one audit is wrapping up, another is being planned.) We clearly list the types of data to be captured and the controls that are in place including descriptors such as systematic/preventive or manual/detective. 
 
Systematic/preventative controls are built into a system, and prevent certain data from being processed such as a check issued without an address. Manual/detective controls are after-the-fact reviews to identify concerns such as a supervisor reviewing a check listing for P.O. box payments without a physical address. This is an important step for us as we focus more effort on those controls that rely on manual reviews. (We were skeptical of spending money on a canned continuous auditing system because auditing solution controls are different for each company. The software we used allowed us to customize.) 
 
For example, some insurers (I'll use insurance examples because that's our business) allow a claim adjuster to add a payee to a claim, request a payment be issued to the payee, and take the check off the printer, while other insurers have systematically enforced segregation of duties to separate the ability to do these three things. (It was important to understand the differences in these controls so we could design the appropriate steps using ACL software.) 
 
We do a thorough walk-through test on the existing system, focusing on data entry. We challenge the system edits that we believe prevent certain inappropriate data entry. Some employees responsible for data entry often claim "the system won't let me enter certain data such as a vendor without a tax ID number." However, we often discover that the system can be overridden. Or the users were told not to enter certain data, but the system actually doesn't prevent it. Finally, we do a risk assessment for each audit with particular emphasis on fraud. 
 
Based on the narrative, workflow, walk-through test and risk assessment, we develop an audit program with data analysis steps using the software. These steps clearly indicate the tests that we need to perform (such as claim payments made to employees) and the necessary data (for instance, a name field from claims payments and a name field from the human resources database). We thoroughly train all our auditors in ACL rather than rely on one or two individuals who know how to use the application. 
 
Your department will be more effective and efficient the more you can move from testing a sample of items for certain attributes toward testing the entire population for attributes captured electronically. 
 
Extract the Data - This is the most challenging and time-consuming process. Frequently, auditors become discouraged because business users often have little or no idea where the database resides or even who might assist them in IT. As we've mentioned, be sure to document in the audit program those attributes you want to test and the data you need and then ask IT where the specific data reside. This is much more effective than simply requesting all claims data that might be stored in multiple tables and perhaps even across multiple platforms. Once we identify the location of the data, we need to figure out how to get them into ACL. We're very successful with ODBC (open database connectivity), which allows for direct connection into the source system for pulling in the data. Our department and IT meet with ACL reps via phone conferences to discuss the best ways to access and capture the data. (Whenever possible, access the data directly so you can be better assured that no changes have been made to it.) 
 
Scrub the Data - We find that we need to vigorously scrub the data to make it useful for analysis after extraction. For example, say we wanted to see if any payments had been made to employees. We extract a payments file from the payables system and a list of employees from the human resources system. Chances are the name fields won't match. One field might be last name only, but the other is last name and first name. The software enables us to create new fields that are the same type (date, ASCII, etc.) and length to do matches. 
 
Review and Refine Extracts - We also learned that we need to carefully review our extracts for false positives and probably modify each extract after we review the results. You might realize you need to extract an additional field to enhance your analyses or refine the search by looking only at items that are over a certain age or dollar limit. 
 
Migrate to Continuous Auditing - We pick the extracts that yield the most valuable information. At the end of each audit we complete a lessons-learned checklist that includes a discussion of those extracts that were valuable. These discussions should continue monthly. Two factors influence any decisions to migrate extracts to continuous auditing. First, we consider the type of extract. Given the number of limited staff members who can review and eliminate false positives, we focus on suspected fraud or areas that might result in saved money for the company such as duplicate payments or missed subrogation. (Subrogation is the insurance company reimbursement process for losses and expenses from a responsible party.) Second, we consider the ease with which we can validate the output and eliminate false positives. For example, if we want to run an extract that generates questionable travel and entertainment expenses but the expense reports aren't available electronically or stored on-site, it might not be cost-effective for us to review the results monthly because of the need to obtain expense reports from remote locations to eliminate false positives. We might instead give management a report for review. 
 
Added Value - With each continuous auditing setup, we ask the managers if they're already receiving extracts that were done as part of an earlier audit but aren't related to fraud or revenue leakage and/or if they would like us to provide this data regularly. This could include, for example, extracts that provide information about the timeliness of processing transactions or transactions that exceed authority. We wouldn't necessarily run and review these extracts monthly in continuous auditing unless management saw the benefit. We might also run and provide monitoring reports when the support to validate the results isn't readily available, as noted in the travel and entertainment expenses example above. We've found that providing these types of analytics to management is a great value-added service and helps prove the worth of continuous auditing. 
 
After we've decided which extracts we should run monthly, we embed that information into a script. A script is simply a series of commands that allows data to be obtained from source systems and scrubbed, with output provided for review without intervention. We can run a script overnight and receive numerous outputs - such as duplicate payments and payments made to employees - and have the extracts exported in Excel files for review and documentation. We can embed extracts in a script and then export management's requested Excel output to its electronic folder for review. Scripting extracts has been a critical timesaver for us. We're running more than 30 extracts in claims, more than 30 in non-claim payments, and more than 15 in journal entries. You should rerun the extracts at least annually outside of the scripts to ensure you're getting the same results and that the data layout, type, length, etc., you're pulling in haven't changed. We discuss the results at quarterly department meetings and consider enhancing any scripts. 
 
We want to emphasize that any audit department should be able to follow a similar approach to implementing a continuous audit. We didn't undergo any extensive training; we've essentially taught ourselves how to use ACL software. We train new employees by having them create extracts themselves and comparing the results to what the scripts would provide to help ensure they're creating extracts correctly. 
 
Findings from continuous auditing have included duplicate payments, missed subrogation, and identifying a need to strengthen controls over disclosing potential conflicts of interest, to name a few. Total recovered dollars have paid for the software many times over. Of course, this is in addition to the valuable assurance our company receives from the monthly monitoring activity that we and our technology provide. 
 
CONTINUOUS AUDITING EXTRACTS 
We primarily assess the risk of fraud when we run monthly extracts across claims data and journal entry data. We also review areas that might produce money for the company plus we run non-claim specific extracts across monthly non-claim data. A reviewer checks each report for specific validations, processes, or facts. The list covers numerous types of reports as discussed in the sections that follow. 
 
Reports for which reviewer ensures the payee is valid: 
  • P.O. Box Payments - captures all payments made on a claim that included a post office box as the address
  • PMB Payments - captures all payments made on a claim that included a personal mail box (PMB) as the address that could be used to send fraudulent payments
  • Same Address, Different Payees 
  • Sequential Phone Numbers - these phone numbers could indicate an issuer had created a fraudulent payee 
  • Same Payee, Different Phones - this could indicate that the issuer created a fraudulent payee 
  • Same Phone, Different Payees 
  • Blank Payee Address - captures all payments made in which the address field was left blank 
 
Reports for which reviewer ensures the payments are valid: 
  • Supplemental Payments - captures all payments made on a claim after the file is closed 
  • Blank Payees 
  • Payments Made to a Five-digit Zip Code - captures all payments made to an address close to a home office where checks are printed, which could identify a fraudulent payment because the majority of our client's claims are outside of the home office area 
  • Payee Address Matches Current Employee 
  • Payee Address Matches Terminated Employee 
  • Duplicate Payments - captures duplicate payments in which one of the payments occurred during the testing period: the reviewer should investigate to ensure the payment is valid and not a true duplicate; if a true duplicate is identified, the reviewer should contact claims immediately to begin collections of the duplicate amount 
 
Reports for which the reviewer ensures both the payment and the payees are valid: 
  • Payee (Vendor) Phone Matches Employee Phone 
  • Payee (Vendor) Phone Matches Terminated Employee Phone 
  • Current Employee's Social Security Number Same as Payee (Vendor) Tax ID 
  • Terminated Employee's Social Security Number Same as Payee (Vendor) Tax ID 
  • Payee's (Vendor's) Last Name Equals Current Employee 
  • Payee's (Vendor's) Last Name Equals Terminated Employee 
  • Joint Vendor For Reasonableness - captures all payments made during the scope of a review: the reviewer investigates the listing of payments for reasonableness 
 
Report for which the reviewer ensures the addresses are valid: 
  • Same Payee (Vendor), Different Addresses 
  • Report for which the reviewer ensures the invoices are valid 
  • Sequential Invoices - could indicate a fictitious invoice 
  • Weekend (Saturday, Sunday) Invoices - could indicate fraud because most billing operations aren't open on the weekend 
 
Reports for which the reviewer ensures the claims are valid: 
  • Multiple Claims, Same Payee 
  • Claims Made Within Five Days of Effective Date 
 
Report for which the reviewer ensures the claimants are valid: 
  • Claimant Added 60 Days After the Claim Was Set up - identifies cases in which the insurance examiner added a possible fictitious party to the claim 
 
Reports requiring other types of oversight: 
  • Invalid Tax ID - captures all expense payments sorted by tax IDs: the reviewer investigates all payments in which there are no tax IDs, the tax IDs are all 9s, or contain alpha characters for possible fictitious vendor
  • Missed Subrogation - not focused on impropriety, identifies missed subrogation on transportation claims and captures claims that involve physical damage only: the reviewer checks each claim to determine if a third party was involved and who was at fault for the accident; if a third party was responsible for the loss, the reviewer ensures the claim representative has documentation in the file indicating the reasons subrogation wasn't pursued
  • Stair-stepping - identifies payments made within five days of a case reserve, which is the liability that's established to reflect the ultimate cost of the claim: the reviewer determines if there was sufficient evidence to put up the case reserve earlier and if the case was established simply to issue the check; this helps to ensure we're establishing reserves in a timely manner
  • Duplicate Invoices - captures duplicate invoice numbers in which one of the invoices was billed during the testing period: the reviewer ensures invoices are valid and not true duplicates; if the reviewer identifies a true duplicate, he or she should contact the claims department immediately to begin the collection of the duplicate amount
  • Payment and Reserve Authority - compares each claim examiner payment and reserve authority (reserve authority is the liability limit that a claim adjuster is allowed to establish on a claim): the reviewer will investigate for documented approval in the claim file any transaction executed for the month being reviewed that makes the total incurred higher than the claim handler's authority 
  • Claim Within Five Days of an Endorsement - identifies claims that the reviewer investigates to ensure endorsement/coverage change wasn't backdated or placed prior to expected catastrophe 
 
CONTINUOUS AUDITING JOURNAL ENTRY EXTRACTS 
  • Manual Journal Entries for Employee Bonuses - finds journal entries made to the associate bonus accounts not done by the payroll administrator or the general ledger administrator
  • Manual Journal Entries for Premium - searches for entries made to the direct written premium account for possible fictitious revenue: this report should be blank or have reversing entries
  • Manual Journal Entries by Executives - flags to find executives influencing financials
  • Manual Journal Entries to Fixed Assets - detects inflating fixed assets; only general ledger clerks should make all entries
  • Duplicate Journal Entries - finds entries made to the same general ledger account in the same month with the same amount 
  • Journal Entries with Blank Reference - finds entries that were created by the user in which the reference fields are blank 
  • Write-Off Journal Entries - shows entries with the words "write" or "off" in the description; review to ensure there's a legitimate reason for the write-off 
  • Valid ESOP/401(k) Journal Entries - identifies entries to the ESOP (Employee Stock Ownership Plan)/401(k) not made by the benefits specialist 
  • Inappropriate Securities Journal Entries - picks up entries made to securities accounts by someone other than investment personnel 
  • Payroll Journal Entries - catches entries made to payroll accounts done by someone other than the payroll administrator 
  • Options and Dividends - catches any entries made to stock options or dividend accounts made by someone outside of the treasury department who has sole responsibility for journal entries related to options and dividends 
  • Journal Entries Indicating Executive Involvement - catches entries that have "per" CFO name, CEO name, or COO name in the description to determine if there's any inappropriate influence on entries 
  • Incorrect Period - catches entries made in the current month of review but posted to the previous month 
  • Weekend Journal Entries - catches journal entries made on a Saturday or Sunday, which the reviewer should investigate for appropriateness 
  • Booking Fictitious Fixed Assets - identifies a debit to fixed asset and a credit to equity, which the reviewer should investigate for possible inflating of fixed assets 
  • Debit and Credit on Accounts Receivable - identifies journal entries with a debit and credit, which might indicate rolling a receivable balance forward to avoid bad debt expense 
 
QUALITY CONTINUOUS AUDITING 
No auditing department has to spend tens of thousands of dollars to construct a quality continuous audit program. With a modestly priced software package and the cooperation of management, you can follow our steps to establish a system that will save your organization money and find hidden fraud. 
 
QUALITY REVIEW CHECKLIST 
  • Audit name
  • Audit lead
  • Other team members
  • Date announcement memo sent
  • Date engagement memo sent
  • Date fieldwork began
  • Date report Issued
  • Budgeted hours
  • Actual hours
  • Date customer survey sent
 
 
LESSONS LEARNED QUESTIONS 
  • Have the work papers been reviewed? Were all the work papers reviewed prior to report issuance? 
  • Has the customer survey been sent out and have results been recorded in the customer survey tracking report? 
  • Did the customer identify any areas needing improvement? If so, what if anything would we do differently to improve customer opinions? 
  • Was the announcement memo sent out at least six weeks prior to fieldwork? If not, why not? 
  • Was the engagement Memo sent out at least three weeks prior to fieldwork? If not, why not? 
  • Was the narrative, workflow, risk assessment, audit program, and GANTT chart developed three weeks prior to fieldwork and e-mailed to the VP of internal audit to ensure timely completion? 
  • What data analytics were helpful? 
  • What data analytics should be developed for future audits? 
  • What data analytics should be developed for future use in continuous audit modules? 
  • What were the actual hours for the audit? Explain any variance of 10 percent or more of budget versus actual. 
  • Was too much, too little, or the correct amount of hours budgeted to each phase of the audit? To each task within each phase? 
  • Was there any unplanned downtime? 
  • Was the staffing level of the project adequate? 
  • Did team members have enough business and/or technical knowledge or receive adequate training prior to or during the audit? 
  • Was there too much, too little or the right amount of interaction between team members? 
  • Was team communication effective? Was communication with the customer effective? 
  • What audit processes did not work well? Are there any procedures or outputs that you would change or eliminate? 
  • What tools did you use that were helpful? What tools did you use that were less than helpful? 
  • What resources were used to develop the audit program/risk assessment? 
  • What changes to the audit process, tasks, and deliverables would you suggest? Is there anything that would have improved the quality of the audit results? Is there anything you would change to reduce the time spent performing the audit? 
  • Has a clean version of the audit program been saved to the shared drive? 
  • Have the issues been recorded in Issue Tracking? 
  • Has the macro risk assessment been updated to reflect our current perception of risk of the entity? 
  • Were there any issues that relate to financial reporting and/or SOX testing that should be brought to the attention of the internal control director? 
 
Pat Ferrell, CPCU, AIC, is audit director at RLI Insurance Co.   
 
Seth Davis, CFA, CIA, CPCU, is vice president of internal audit at RLI Insurance Co.   
 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.

Ad

Begin Your Free 30-Day Trial

Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.

Learn More Already a member? Sign In

You May Also Like