In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated version of the Internal Control Integrated Framework—a leading framework designed for implementing and managing systems of internal controls, and assessing their effectiveness. The guidance includes 17 principles, with principle eight focused on fraud risk assessment. However, the framework lacked guidance on how to conduct a fraud risk assessment or how to assess its adequacy.
These limitations were addressed in September 2016 with the release of the Fraud Risk Management Guide. The guide supports the COSO framework and serves as a best practices guide for organizations looking to establish a more comprehensive approach to managing fraud risk. It encourages the use of data analytics in all aspects of fraud risk management, including assessment, prevention, detection, investigation and reporting.
What is clear is that data analytics is an increasingly critical element of conducting fraud risk management. In this blog, I look at the landscape of fraud risk management, including fraud assessment, monitoring, and investigations, and the key elements of these, in light of a number of guiding reports and best practices.
Governments under-utilized data analysis when addressing fraud risk
It was interesting to see that in May 2017, the Auditor General of Canada released a report which dealt with, among other things, the ability of government departments and agencies to address fraud risk. One of the key findings was that government agencies are not using data analysis effectively to assess fraud risk or to perform fraud prevention and detection activities.
The Auditor General’s recommendations for the procurement area stressed the importance of the use of data analytics to evaluate procurement and contracting controls and identify possible areas of concern. In particular, government departments need to improve system data integrity and introduce automated tools for analyzing procurement data to detect potential fraudulent activities. This will allow them to better utilize data analytics and data mining to detect red flags and potential procurement fraud risks including potential contract splitting, abuse of amendments, and inappropriate sole-source contracting. The report also stated that departments should implement risk-based reviews of contracts through a monitoring program to detect anomalies and ensure corrective action is taken where appropriate.
Data analysis and the fraud triangle
Having participated in the COSO guidance development as co-chair of the data analytics working group, I thought I would share some of my ideas and contributions to the guidance document.
Data analysis is a powerful tool for assessing fraud risk and for fraud prevention and detection. But according to an EY 2014 Global Fraud survey, 42% of companies with annual revenues of $100M to $1B are analyzing data sets under 10K records, and 71% of companies with more than $1B in sales are examining data sets of 1M records or fewer. This means that they are analyzing summarized data and are likely missing important fraud prevention and detection opportunities by not mining larger and more detailed transactional data sets.
While many auditors are aware of the fraud triangle: opportunity, pressure, and rationalization, they do not often consider how data analysis can be used to address all aspects of the fraud triangle:
- Always watch – When people know you are looking, they are less likely to commit fraud
- Prevent fraud – Verify that the key controls are in place and working properly
- Detect instances of fraud earlier – The Association of Certified Fraud Examiners (ACFE) Report to the Nations 2016 reported a 50% reduction in duration and a 60% reduction in losses when proactive data analytics were used
- Focus the investigation – You know where to look and what to look at
- Determine losses – A reactive and proactive perspective can identify all similar transactions e.g., another instance of a payroll fraud at other locations
- Support the prosecution of fraudsters – by identifying the evidence, fully costing the fraud, and telling a compelling story to the jury.
Analytics complements the identification and assessment of fraud risk, allows for the monitoring and assessment of controls in areas of highest fraud risk, and supports the detection and investigation of possible fraud.
Assess the risks of fraudulent activities occurring
In areas of highest fraud risk, analytics can be used to search for control weaknesses and anomalies that could be indicators of fraud. The Statement on Auditing Standards #99 defines various factors for assessing the risk of fraudulent financial reporting and other fraudulent acts. It also encourages you to devise appropriate data analysis strategies for each risk factor.
For example, if you are in a competitive Industry, rapidly changing technology can lead to obsolete inventory. This creates a risk that the inventory may not be appropriately re-evaluated, resulting in an overstatement on the financial report. The data analysis to identify and assess this risk factor could include checking the date and results of last inventory evaluation, and assessing inventory turnover figures.
If your company has attractive or easily transportable items in inventory, then you are at risk of theft. Analytical tests could include verifying the effectiveness of the inventory controls by looking at trends in reorder quantity versus use in production or sales, and identifying write-off and the use of management overrides to adjust inventory levels.
How data analysis supports the fraud monitoring plan
In areas of highest fraud risk you should develop a fraud monitoring plan. The monitoring plan identifies the four Ws of the analysis that will be performed: Why, What, Where, and What’s Next. For example, if there was a fraud risk that attractive inventory items could be declared unrepairable, written-off as scrap, and taken home by an employee, we would expect that there would be a separation of duties precluding the same one employee from declaring and also writing-off the item. In this scenario, data analysis could identify all employees who declared items as unrepairable and those who declared items as a write-off. We would not expect to find the same person on both lists. If we did, we would follow-up to see if their actions were applied to the same item.
7 Elements to include in the fraud investigation
When fraud is suspected you need to enhance the fraud monitoring plan and develop a more detailed fraud investigation plan. The following elements should be documented:
- Define objectives of the investigation by detailing why you are performing the analysis and what you want to accomplish
- Define the indicators of fraud by describing what the symptoms of fraud would look like in the data
- Identify the required data sources by working with IT and the business process owner to determine the appropriate source and timing of the required data
- Obtain and safeguard the data and determine which fields are required (e.g., one business unit or more; the best methods for obtaining the data; file formats; transfer mechanisms; and how you will safeguard the data)
- Determine the extent to which you can rely on the data and how you will assess the integrity and completeness of the data
- Test the integrity and completeness of the data
- Describe the analytics tests to be performed, the expected results, and the follow up analyses.
In cases of suspected fraud, the auditor must verify the data and analysis results with source documents or compare against other electronic sources. When performing the analysis, it is important to drill down into the data, to challenge your assumptions and results.
Act now! Make data analytics part of your fraud risk management
Numerous studies and surveys of CFOs and CAEs highlight the importance of data extraction, data analysis, and data visualization. Not just to prevent and detect fraud, but also to test critical controls, and assess process efficiency and effectiveness. If you are not already embracing the power of data analysis, what are you waiting for?
Written by: Dave Coderre, President, CAATS