Introduction :

Stephen the Head — Internal Audit of a manufacturing major — ‘Brick and Mortar’ was presenting on the role of Internal Audit and Management Assurance Services in detecting indicators of frauds and red flags to the Audit Committee. The question most commonly encountered by every Chief Internal Auditor — CIA — is “To what extent should internal audit be empowered to detect indicators of frauds ?” Stephen presented the role of the auditor in the new environment in terms of IT control reviews and risk assurance services, physical document-based audits apart from compliance with various directives, statutes and other regulatory requirements.

As a means of increasing the extent of transaction testing by his audit staff and reducing cost of audit operations, Stephen proposed the use of a Generalised Audit Software (GAS) which could help the inspection team query the system for better results and help in identifying trends, patterns and indicators of fraud.

The Audit Committee was supportive of the presentation made and asked Stephen to implement GAS and make a presentation on the red flags detected as a result of the forensic review at the next meeting.

Methodology :

The Chief Internal Auditor set up a mid-size team within the department to take the initiative of implementing GAS. The team comprised two senior audit officials (who among them had a wide range of experience in various process activities of the Company like procurement, sales, finance and administration), a certified fraud examiner and an IT auditor (CISA). The team also took on retainer basis the services of a retired Central Bureau of Investigation Officer who was an expert in economic offence interrogations.

The entire audit manual was reviewed and specific forensic objectives were mapped to possible audit tests that could be conducted with or without GAS. The method of using e-GAS was debated and discussed by the group to ensure data integrity and confidentiality.

While it was not possible to log onto the production server due to access restrictions maintained by the database administrator, the team was faced with a challenge to import data for further analysis.

The team decided to connect to specific data dumps (Print report dumps from various modules of the ERP like materials, sales, etc.) provided by the DGM-IT. The data dump was provided by running a File Transfer Protocol (FTP) on the DR Site Server, which is also used for reporting tools like Crystal Reports.

Bird’s-eye view of red flags, which could be detected using GAS :

Employees as vendors :

An employee sets up a company and then funnels purchases to his company. Variations include a ‘ghost’ approach where invoices are sent from the employee’s company, but no actual goods or services are provided. In other instances, actual goods may be shipped.

To detect this type of fraud, ask operational managers to review new vendors as they come aboard. A phone call to the vendor may reveal suspicious activity. Make sure, however, that the person doing the review is not the perpetrator. With GAS, you can use sampling techniques to generate a list of vendors to verify.

Favourable treatment of vendors :

Look closely at vendors who have a relationship with an employee — a spouse, friend, social partner/buddy, etc.

Pivot tables in GAS are effective in detecting this type of fraud.

Once created, the table shows the percentage of purchases by each vendor. Always work with an operational expert to interpret the results. It is not normal, if 60% of purchases are from a single vendor. This is a red flag and reasons for such treatment need to be investigated.

Transactions at or near spending authorities :

Spending limits are often referred to as the ‘trigger price’. As soon as a pre-set limit is reached, the system automatically triggers some form of action or examination.

The perpetrator’s goal is simply to avoid the trigger price. Generally, trigger prices are so well known that they actually become a policy. It may be common knowledge that the spending authority limit is INR 50,000, the fraud is designed to stay under the trigger limit.

This can be detected by employing Benford’s Law of Digital Analysis to detect instances where prices are just below the trigger price. The Benford Curve will reveal sharp, striking indications of actual frequency occurrences close to the pre-prescribed limit.

Another common scenario involves making a single payment for purchases spread over several invoices. To close a sale, the vendor may accommodate this request. Prepayments again indicate a red flag. Comparing inventory records is also an effective way to detect this. If three invoices are used to account for the full amount, an inventory check could reveal only one set of goods.

This can be accomplished by joining databases within GAS.

Teeming and Lading :

In Teeming and Lading, (especially in cash collection centric business), the first lot of collections are defalcated by the perpetrator. To avoid clear obvious notice of overdue, cash collections from the subsequent customer are applied to the first customer. In this systematic scheme of events, old invoices are always shown/made up as clear/settled/paid for, whereas new invoices for latest customers are always shown as overdue, even though they have been paid.

In such cases, GAS can be used to extract current bills for current sales and current customers based on Stratified Random Sampling (Materiality of the Sale). These customers can be called by the Auditor (telephonically) to ascertain the balance in his books for debtor confirmation. Any foul play can be identified at once through such a scheme of events, unless there is systematic collusion between the vendor and the customer.

Forced fictitious sales to meet sales targets :

We all have encountered enormous flurry of activity in the sales cell of an entity towards each month end, quarter end, and year end. It is a known fact that sales are pushed over phone to secure orders. These orders are eventually accompanied by stock movements within a few days, hence the order is accrued at the period end and the targets are met.

However, care should be taken to identify unusual sales patterns at period ends which are counterbalanced by reversals in ensuing period beginnings. These unusual trends can be identified through the Field Statistics — Date Statistics in the GAS. High number of sales transactions/records which almost resemble one another between, say, March 2007 and April 2007 need to be investigated, especially when the transactions in April 2007 are pertaining to reversals of March 2007 sales.

Fraudulent inventory valuations :

In certain industries, finished goods inventory can be divided into two main classes — For sale and for samples/gifts/testing.

The inventory held for sale is correctly valued at net realisable value. Fraudsters often, with the hope of inflating inventory valuations, adopt the same practice for inventory held for samples/gifts/testing.

Now as a common practice inventory held for samples/gifts/testing, are valued at minimum system recognisable value for example Re :

The antithesis of the Benford Law may be applied here to test for unexpected frequency counts at digits other than 1 for inventory held for samples/gifts/testing. If the entity is deliberately overstating such inventory, it will show up on the Benford Curve for further examination and interrogation.

Red flags in payroll :

An analogy of typical fraud tests with regard to payroll is as follows :

·         Employees having the same first name and last name

·         Employees having the same first name, last name and bank account number

·         Employees having different first name, and same last name and also same bank account number

·         Employees having similar sounding names (De-Dup Tests using Soundex Functions)

·         Payments to employees after they have left the entity

·         Payments to employees who are not on the employee master listing

·         Overtime payments to employees when normal hours have been worked

·         Payments of location allowances to employees when they are not entitled to the same

·         Payment of grade allowances to employee when his grade does not permit the same

·         Payment of both asset maintenance expenses and asset maintenance fixed allowance like vehicle allowances when entity policy allows either or.

Conclusion :

While specific audit reports gave regular feedback to the process owners about process flow control gaps, the identification of potential red flags in the process were greatly met, using GAS which went beyond the set standard traditional norms. Further, it allowed the audit team to move beyond the ‘priority’ set by the Audit Committee and were able to complete their investigations within time, with specific unusual drill down capabilities and results through a third-eye watch. The IT was also excited about the possibilities which such a tool could have for their forensic security reviews on a regular basis. The CIA also initiated a review with special watch on cyber security. Further, the Chief Internal Auditor also made it mandatory for the Company’s outsourced internal auditors to use GAS for their branch audits using similar methodologies.

As a seasoned user of GAS, the Chief Internal Auditor laid down the structure for continuous control monitoring with specific forensic objectives through automation and scheduling within GAS.

 

Article by Deepak Singal and Manish Pipalia Chartered Accountants

Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here.