Wow – never realized how much work this would be. I mean, I am only posting once a week – but it still takes a lot of time. Not getting many comment, but I hope people are enjoying and learning from the posts. I had hoped more people would share their experiences so we could learn from each other.
I was now interested in expanding my use of data analytics beyond testing of controls. There were numerous times when I had identified control weaknesses that were fraud risks and a number of times where we actually from a fraud occurring. This led me to the development of my third book: “Fraud Detection: Using Data Analysis Techniques to Detect Fraud” in 1999. The text included theory and numerous cases studies which illustrated how ACL could be used to identify symptoms of fraud in the data. Examples such as STATISTICS on Receipt_Qty to find a receiving clerk fraud were included.
Once again, ACL agreed to publish the text and it received a favourable review from both the audit and investigative communities. It is still in print and people tell me that it has helped them with the fraud analytics. One expert from E&Y told me that he using it with clients to takes about fraud risks and they usually go from “No fraud here” to “we really need to set up a proper fraud risk assessment and monitoring program”.
As I mentioned previously, our company has just implemented several ERP systems. In particular, we were using SAP for our financial system. About two years ago I had performed a test of the A/P process and had found a number of issues. Management’s initial concerns centered on possible duplicate payments and paying invoices early without the discount or paying them late and incurring late penalty charges. Keep in mind the fact that interest payments in the late 1990’s were much higher than today – can’t remember for sure but probably closer to 10%. Also, I could have posted this in 1996 and 1997, but the lessons learned applied to 1998 so I am posting now.
As part of the planning phase we looked at the business process: considered the possible risks, and identified the key data elements required by the financial system to process A/P transactions. This led us to additional risks beyond management’s duplicates and timeliness concerns. The A/P process handled about 500,000 invoices a year totaling almost $4B and included 4 larger invoice processing centers and 5 smaller ones.
The automated A/P process uses vendor name and address, payment terms, invoice date, general ledger account, quantity, unit price, amount, and payment method. In addition, we have the approving authority and the payment run authority. So we needed these data fields.
As part of the risk identification and assessment, we obtained the A/P data, plus some master tables (e.g. vendor, approval authority, and payment authority) and produced several high level summaries.
A Classify by Payment terms indicated a problem – too many invoices were being paid with “pay immediate” terms. These were paid immediately and did not qualify for early payment discounts. Pay immediate should only be used when the contract conditions stipulated that payment was due on receipt of goods/services or for utilities (gas, electricity, water, etc.).
A Classify on Payment method identified two issues: we were paying some invoices manually (we had been told that this was no longer permitted) and one A/P center was using electronic fund transfer (we have been told that all payments were made by check (remember this is 1999). When we raised this with management, they remembered that a small pilot project using EFT was being run at one A/P office. “Would you mind looking at that while you are checking on duplicated?” they asked.
A Stratify on invoice amount showed that almost 38% of the invoices were for less than $500 and 27% were less than $100. This raised efficiency and effectiveness concerns. Processing an invoice – received by mail; delivered to the approver by internal mail; manually reviewed; delivered to A/P by internal mail; entered by A/P; approved by the payment authority; check produced and mailed to vendor – cost about $100. We had implemented a p-card program to deal with low dollar purchases, but we still had 135,000 invoices that were less than $100; with a processing cost of $13.5M. If even half of these could be paid with p-cards (processing cost of $7) then we could save more than $6M.
A Classify on fiscal year told us that the late payment penalty transactions were increasing: from $1.6M four years ago to $7.9M. A classify by A/P office determined that 3 of the 8 invoice processing centers were responsible for $6.8M of the late payments – so we knew where we needed to go.
The analysis allowed us to quickly identify risks in the A/P process that had not been identified by the risk based audit plan nor raised by management – in a few hours during the initial planning phase. In addition to duplicates and verifying management’s concerns around early/late payments, were identified risks around payment methods (manual and EFTY), payment amounts, and the efficiency and effectiveness of the p-card program and the A/P process. We also determine where the onsite visits would be and what we needed to address when we were there.
ACL Commands: TOTAL, STATISTICS, CLASSIFY and STRATIFY
Lessons-Learned: the main lesson-learned was the utility of analytics to assess risk during the planning phase of the audit. We could have simply checked for duplicates and for early payments without a corresponding discount and late payments, but examining the data that drove the business function and performing high-level summaries highlighted additional concerns. Our audit objectives were more complete and what we had learned in the planning phase shaped our audit objectives and scope, the audit work plan (we had to add steps to address EFT payments) and where we were going and what would we be looking for when we got there.
Next week I will continue with the analysis of the A/P data. I would argue that we were still in the planning phase, but we were already highlighting significant finding such as a significant number of low dollar invoices that could be eliminated by bolstering the p-card program. We were still only on day 1 of the analysis and had already identified more value-added findings/recommendations than a duplicates audit would have produced.