It is hard to perform analytics if you don’t know what data to get. Here are two simple approaches I developed that will help you.
The American Certified Fraud Examiners (ACFE) Report to the Nations 2018 states that proactive data analytics can reduce losses by 52% and the duration of frauds by 58%. And still many organizations do not use analytics to prevent or detect fraud. The question is “Why not?” The answer used to be “ability to access the data” but with ERP systems and analytics tools and software that can connect to any data – this is a cop out.
The real answer lies in both a reluctance to consider the use of analytics and the failure to do the work to understand the data that is required. But why is this? I think it is because the jump from “Fraud Risk Assessment” to “Perform this analytics” to too great. However, if you break it down into smaller steps – is it easier to see and do.
When my daughter was in grade 9, she brought home an algebra exam where she had questions marked “incorrect”. She was upset and wanted to know why her answers were wrong – she asked me to take a look. The first question was: X2 + 10X – 17 = 7 and she had written X = 2 nothing else. I looked at it and asked her why she had written X = 2. “Because that is the answer”, she replied. I did the steps to isolate “X” and sure enough it was “2”. “Where was your work?”, I asked. “What work?” she replied. We went back and forth for a bit with her essentially saying, “I look at the equation and write down the answer”. I decided to test this and gave her the equation: 3 X2 + 7X = X + 72. She looked at it and said X = 4. I asked her if she had isolated “X” and moved things from one side of the equation to the other and she finally agreed that she was performing these “steps” even if automatically and instantly.
Sometime later I was trying to tell people what analysis to perform to determine if there was a fraud risk in a business area. “In this area, perform these analyses” I said. “Why?” was the response. “Because it will find fraud opportunities,” (i.e. fraud risk) I said. We went back and forth and then it dawned on me: like my daughter, I was not aware of the steps I had used to identify the needed data and the analysis. So I spent some time over the next few weeks to reverse engineer was I was doing. This led me to a series of steps that would simplify the task of going from “determining the fraud risk” in any business area to the “analysis that should be performed”.
The approach has two paths and I encourage you to do both as well as to brainstorm the fraud risk. Both approaches start with the objectives of the business area. The first looks at the sub-risks to the achievement of these objectives. It then asks you to identify the controls that would mitigate the risk. Next what are the indicators that the controls might not be working? The last two steps ask you to identify the data required to test for these indicators and the analysis to be performed. The second starts with the business objectives and looks at the data that is required by the business process. Next what are the controls over this data? Finally what analysis would determine if the control were working?
Accounts Payable example:
Objective: accurate, timely payment of valid/approved invoices.
Risk 1: we pay an invoice too early (or too late). Controls: data input control and system processing controls. Data required: Invoice date, payment date, payment terms. Analysis: Compare payment terms on invoice to payment terms on vendor master; compare invoice date to goods received date and to entry date. This analysis has found backdated invoice dates that resulted in invoice being paid immediately and interest penalties applied – even though the invoice was not “late”.
Risk 2: we pay the wrong vendor or a fictitious vendor ………
Data : Vendor name, address, number; amount; invoice date; invoice number; payment terms; etc. Controls: over the vendor info – the vendor master table (who can create, modify or delete vendors). Analysis – summary by “Created by” in the vendor mater table. This revealed that several A/P clerks were also creating false vendors and processing invoices to these vendors. Duplicates – identified vendors with multiple bank accounts.
Completing the exercise of looking at the risks and the key data fields will help you to identify and assess fraud risks such as:
- Paid early / late
- Incorrect payment terms
- Fictitious vendors
- A/P clerk = Vendor
- Separation of duties (same clerk – creates vendor, processes goods receipt and processes invoice)
- Payment to wrong vendor
- Incorrect amount
- A/P clerk = Vendor
- Vendor only used by one A/P clerk
- SOD – A/P clerk performing goods receipt, creating vendor and entering invoice
But more importantly, the approaches – look at sub-risks and look at key fields – can be applied to any business process to go from “Fraud Risk” to “Analytics to Perform” because each step in the process is simple and understandable. You don’t have to buy specialized software or hire a consultant to help you. Just complete the templates – #1: risk to analytics; and #2: key fields to analytics.
Dave Coderre www.caats.ca