|
|
Total Number of Subscribers: 1626 |
|
|
|
|
|
|
|
Date:22nd June 2010 |
Compiled by: M Sathya Kumar |
|
Introduction : Ray the Head — Audit, Risk Management and Forensics of a
manufacturing major — ‘D & B’ was making a presentation on ‘Role of
Internal Audit and Management Assurance Services in detecting indicators of
frauds — that is — red flags’ to the Audit Committee, because the Audit
Committee had queried : "To what extent should internal audit be
responsible to detect indicators of frauds and provide early warning
signals ?" The presentation sought to present the role of the
internal auditor in the context of the new IT-enabled business environment
and the focus of the assurance teams on IT controls, risk management,
physical document-based audits and compliance requirements under various
regulations. One important tool that could be used in this scenario is
Generalised Audit Softwares (GAS). These tools aid an assurance team to
identify trends, patterns and query data for other indicators of fraud while
maintaining the cost of review and timeliness of conclusions. The Audit Committee was supportive of the presentation
made by Ray and asked him to implement the GAS and present the red flags
detected as a result of the forensic review in the next quarter meeting. Methodology : The Chief Internal Auditor set up a mid-size team within
the department to take the initiative of implementing the GAS in the Company.
The team comprised 2 senior audit officials (who among them had a wide range
of experience in various process activities of the company like procurement,
sales, finance and administration), a Certified Fraud Examiner and an
Information Systems Auditor. The team also retained the services of a retired
CBI Officer who was an expert in
economic offence interrogations. The entire audit manual was reviewed and specific
forensic objectives were mapped for possible audit tests that could be
conducted using a GAS and otherwise. The method of using the GAS was debated
and discussed by the group in a way that data integrity, confidentiality and
availability of the production server was not compromised and the objectives
were also met. While it was not possible to log onto the production
server due to access restrictions maintained by the Database Administrator,
the team was faced with a challenge to import data for further analysis. The team decided to connect to specific data dumps
(Print Report Dumps from various modules of the ERP like materials, sales,
etc.) provided by the DGM-IT. The data dump was provided by running a File
Transfer Protocol (FTP) on the Reporting Server, which is also used for
reporting tools like Discoverer. Illustrative observations highlighting the
red flags detected (In all these instances, the audit scope was suitably
modified and was followed through to its conclusion) Accounts payables : Potential employee-vendor nexus : The engagement team obtained key master data concerning
vendors and employees. The vendor master data had crucial field data like
telephone number, address, tax code, and bank account number. The employee
master data had vital fields like date of birth, bank account number, PAN,
etc. The team solicited special approvals from the ‘Supply
Chain Management Wing’ and the ‘Human Resources Wing’ to obtain confidential
and privileged master data. Upon getting the data in hand, the team extracted
the data into the GAS and set up the imported data for key comparisons. The JOIN function was used to link the two databases on
the telephone number and bank account field individually. A quick review of
the result indicated some unexpected linkages, for example, the
address fields for some of the vendors and employees
seemed to resemble each other — similar but not the same. Interrogation
followed this crucial data crunching exercise, where surprise calls were
placed to the registered telephone numbers. On the basis of voice recognition
and investigative visits, it was conclusively stated that key vendor-employee
links existed within the company. Payroll : Employees who have not availed of sick
leave, casual leave or travel leave in the last 3 years. The investigation team consulted with the Human
Resources Wing of the company. Employees who tend to attend work regularly
without leave are normally watched by forensic auditors. These employees
could be at the heart of a long-drawn, deep-rooted system fraud as they
normally assume key roles in the organisation without much segregation of
duty for long tracts of time. Their supervisors never suspect their actions
and continued service is considered a merit. The data under consideration was ‘leave availed’ data
for the last 3 years and employees on company rolls for the last 3 years. Upon flat file report import, all the employees who had
consumed leave in the last 3 years were summed up. This summation file was
excluded from the file of all employees on the company rolls for the last 3
years using the JOIN function. The resultant file brought to the fore existing
employees of long-standing nature, who had never consumed leave. In fact on a
closer review with the HR Wing, many of the cases detected were also on the
CLOSE-WATCH OVERTIME list. The input was used to modify the audit objectives and
tests for identifying any irregularity. Accounts Receivables : Inconsistent scheme discount rates offered
by Billing to different customers against the same scheme. The fields of reference relevant to the red-flag being
tested were identified as :
The process of interrogation followed was as such :
These cases were taken up for one on one interrogation
with the Billing clerks, to ascertain their motive. Information Technology : Detecting transactions out of office hours
in Access Logs The fields of reference relevant to the objective being
tested were :
The process of interrogation in the GAS was elaborate
and clear.
Cases observed revealed extensive prolonged login sessions
by the Database Administrator during late night sessions. Few cases revealed
attempted access by an unknown user with super-user rights. It was later
discovered that this user was created during the last system migration with
unlimited access and change modification rights. Ironically his user profiles
had not been deleted or disabled permanently within the system. Conclusion : Some of the indicators that were highlighted using the
GAS existed all these years. But the auditor did not have the tool to identify
the same within a reasonable timeframe and also provide assurance in other
areas. It therefore allowed the audit team to move beyond the ‘priority’ set
by the Audit Committee. The IT was also excited about the possibilities which
such a tool could have for their forensic security reviews also on a regular
basis and initiated a review of the same with special watch on cyber
security. Further, Ray made it mandatory for the company’s outsourced
internal auditors to use a GAS for their branch audits using similar
methodologies as them. As a seasoned user of the GAS, Ray laid down the
structure for Continuous Control Monitoring of specific forensic objectives
through automation of tasks and scheduling within the GAS. The Audit Committee appreciated the innovative steps
taken by Ray, including his efforts at clarifying the role of internal
auditor in fraud identification. All audit plans included some dimension of
fraud reviews without going in for full investigation. Article by Deepjee Singhal Manish Pipalia Chartered Accountants |
|
|
|
|
|
|
|
|
Rewards
waiting for feedback at |
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
|
|
