COSO had released an update to COSO-ERM which included Principle #8 (“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”) related to fraud risk. David Cotton (Cotton and Company LLP) put together a team of experts to develop guidance on how the audit profession and management could address the requirements of principle #8 and I was fortunate enough to be invited to be part of the team. In particular, I was co-chair, along with Vincent Walden (EY), of the sub-group on data analytics which was responsible for developing guidance of the use of analytics to assess risk of fraud and to prevent and detect fraud. I was an interesting and informative task that gave me the opportunity to work with many talented people. The final guidance “Fraud Risk Management Guide” was published by COSO in 2016.
The executive summary can be viewed at http://www.coso.org/documents/COSO-Fraud-Risk-Management-Guide-Executive-Summary.pdf
The following represents some of my thoughts on the area and served as input to the final guidance document.
Fraud Guidance – Data Analytics input
Data analysis is a powerful tool for assessing fraud risk and for fraud prevention and detection. But according to an EY 2014 Global Fraud survey: 42% of companies with revenues from $100M – $1B are working with data sets under 10K records; and 71% of companies with more than $1B in sales are working with data sets of 1M records or fewer. These companies may be missing important fraud prevention and detection opportunities by not mining larger data sets to more robustly monitor business activities.
Data analysis addresses all aspects of the fraud triangle:
- if people know you are looking, they are less likely to commit fraud
- Prevent fraud – verify that the key controls are in place and working properly
- Detect instances of fraud earlier – could catch the first transaction (ACFE 2014 – reported a 50% reduction in duration and a 60% reduction in losses when proactive data analytics were used)
- Focus the investigation – you know where to look and what to look at
- Determine losses – reactive; proactive: identify all similar transactions – perhaps at other locations (e.g. payroll fraud)
- Support the prosecution of people committing fraud – identify the evidence, fully cost the fraud, tell the story
The use analytics supplements the identification and assessment of fraud risk; allows for the monitoring and assessment of controls in areas of highest fraud risk; and supports the detection and investigation of possible fraud.
Fraud Risk Assessment
The ACFE Report to the Nations 2016 stated that proactive fraud analytics can reduce the duration and the loss due to fraud by more than 50%. In areas of highest fraud risk – analytics can be used to search for control weaknesses and anomalies that could be indicators of fraud. The Statement on Auditing Standards (SAS) #99 defines various risk factors for assessing the risk of fraudulent financial reporting and other fraudulent acts. It also encourages you to devise appropriate data analysis strategies for each risk factor.
For example if you are in a competitive Industry, rapidly changing technology can lead to inventory becoming obsolete. This creates a risk that the inventory may be not be appropriately re-evaluated which would lead to an overstatement on the financial report. The data analysis to identify and assess this risk factor could include checking the date and results of last inventory evaluation and assessing inventory turnover figures. If your company has attractive/easily transportable items in inventory, then you are at risk of theft. Analytical tests could include verifying the effectiveness of the inventory controls by looking at trends in reorder quantity versus use in production or sales and identifying write-off and the use of management overrides to adjust inventory levels.
In areas of highest fraud risk you should develop a fraud monitoring plan. The monitoring plan identifies the Why, What, Where and What’s Next of the analysis that will be performed. For example, if there was a fraud risk that attractive items in inventory could be declared not repairable and written-off as scrap and taken home by employee, we would expect that there would be a separation of duties such that the same person could not be able to declare and item as not repairable and also write-off the item. Data analysis would be to identify all employees who declared items as not repairable and those who declared items as a write-off. We would not expect to find the same person on both lists – if we did, we would follow-up to see if their actions were applied to the same item.
When fraud is suspected you need to enhance the fraud monitoring plan and develop a more detailed fraud investigation plan. The following elements should be documented:
- Define objectives of investigation. Detail why are you performing the analysis
- Define the indicators of fraud. Describe what the symptoms of fraud would look like in the data.
- Identify the required data sources. Working with IT and the business process owner – determine the appropriate source of the required data.
- Obtain and safeguard the required data. Determine which fields are required – single year or several; one business unit or more; the best methods for obtaining the data; file formats; transfer mechanisms; and how you will safeguard the data.
- Test the integrity and completeness of the data. Determine the extent to which you can rely on ten data and how you will assess the integrity and completeness of the data.
- Analysis techniques. Describe the tests to be performed, the expected results and the follow up analyses.
In cases of suspected fraud, the auditor must verify to source or compare with other sources. When performing the analysis, it is important to drill down into the data – challenging the assumptions and results.
In addition to providing input in each of the chapters – from risk assessment to investigation – Vince and I provided a series of analytical tools and techniques that were presented in an index and are available online.