5514 Using CAATs in Attempting to Detect Fraud

Jun-2018

OAG Guidance

For related guidance on CAATs see OAG Audit 7591.

Examples of Using CAATs (ex: IDEA) in Attempting to Detect Fraud

CAATs can be used to address the risk of fraud in the examination of journal entries or in other areas of the audit that have been deemed to have a heightened risk of fraud. This section discusses how CAATs can be used to detect fraud in areas other than journal entries.

• Review of unusual transactions.

  • CAATs can be used to highlight many conditions that might indicate potential fraud. The basic approach is to define what is considered usual for each category of transactions that will be analyzed. CAATs can then generate a list of all transactions that fall outside of what is considered usual. This list can then be used to select items for further testing. This process needs to be tailored for each entity, as no two entities will have the same definition of what is considered usual or normal. This test will not find every possible fraud, but rather is designed to highlight potentially significant fraud, to the extent it is evidenced in the transaction files being reviewed. When designing this test, it is important to receive input from individuals with deep knowledge of the entity and its processes. Examples of such tests include:

    • Revenue or shipments by week, to assess for unusual spikes in activity at period ends.

    • Analysis of inventory levels compared to procurement and sales activity to assess for reasonableness.

    • Ratio analysis of accounts or amounts that should be highly correlated, for example, in a professional services company, monthly billable hours compared to monthly revenue.

• Benfords Law analysis.

  • Benfords Law is a technique that analyses the first few digits of a population of amounts and indicates whether there are any unusually high or low occurrences of particular digits. The actual rate of occurrence of each digit (1 through 9) is compared to average occurrence rates as established by Benfords Law. For example, if a population of cash disbursement data has an extremely high frequency of amounts beginning with the digit 4, it may be an indication that there is a spending limit at 50,000, perhaps, and that many disbursements (possibly fraudulently) are being processed just under this spending limit.

• Unusual timing.

  • Transactions taking place outside normal hours (e.g., evenings or weekends) or prior to or immediately following key period- end accounting dates.

• Unusual combinations of accounts in journal entries.

  • Transfers from operating expenses to depreciation; transfers from P&L to B/S accounts vulnerable to manipulation such as inventory and accounts receivable; transfers from leased sales to outright sales; transfers from deferred income to current year P&L.

• High frequency of transactions.

  • Unusually large volumes of transactions taking place just prior to a period end may be indicative of revenue recognition manipulation, (e.g., sales being forced into accounting period to meet expectations).

• Matched transactions.

  • Transactions which are matched by subsequent reversals or by simultaneous equal and opposite transactions may be symptoms of manipulation, (e.g., provisions which are reversed, or round tripping which boosts revenue and costs of sales equally).

• Code Mapping.

  • Mapping allows the identification of any initialised but unused code in the application. This highlights redundant code or code used for fraudulent purposes.

• Program Library Analysis.

  • This analysis provides records of changes made to the system software allowing the identification of any potential problems if the expected output changes.

• Source / Object Comparison.

  • Allows the comparison of either the source or object code of an application to that of a secure master copy. This will highlight any fraudulent changes or errors and also ensure that the current version of the software is being used.

• User Log Analysis Software.

  • Allows the identification of unauthorised entry attempts and password violation. Most systems keep a log of user entries and attempted logons. This file is usually a simple text file that can easily be linked to a file interrogation program or interrogated using an in- house program.

  • The activity log may also indicate if there were periods of time when specific controls were turned off or otherwise not active.

  • Analysis of personnel with super-user access.

  • Analysis of personnel who have access to systems and applications outside their normal job responsibilities.

Payroll

• Test for overpayments to existing employees by identifying duplicate or similar:
  • Payees on the same date.
  • Names.
  • Employee numbers or government issued identification numbers.
  • Addresses.
  • Telephone numbers (work/home).
  • Bank deposit account numbers.
  • Work locations.
• Test for fictitious employees through the presence of the following:
  • No time and attendance report.
  • Not in employee directory.
  • No holiday/vacation taken.
  • No overtime charged.
  • No expense reimbursements ever submitted.
  • On a terminated employee list.
  • No pension or other payroll deductions.
  • Invalid government issued identification number.
  • No or limited personnel data.
  • Address is a Post Office Box.
  • Search for wages or wage rates inconsistent with job classification.
  • Generate list of payroll payments over a certain monetary threshold.
  • Search for payments made before date of employment, or after date of termination.

Procurement

• Test for duplicate payments to vendors by identifying some combination of duplicate or similar:
  • Payment/invoice amounts.
  • Vendor number.
  • Vendor name.
  • Invoice dates.
  • Invoice numbers.
  • Payment dates.
• Test for purchases without evidence of receipt of goods.
• Search for invoices from vendors in unbroken numerical sequence.
• Search for payments made without an associated invoice.
• Invoices for the same or similar goods or services with the same vendor and in amounts just below higher-level approval threshold within a short time span.
• Purchases with no purchase order.
• Multiple vendors with the same address, telephone numbers or contact names.
• Vendors with similar or similar-sounding names.
• Vendor address is a Post Office Box.
• Vendor with no telephone number or contact name.
• Generate list of purchases with higher prices than comparable purchases.
• Payments to vendors that are not on authorised vendor masterfile.
• Search for vendors who may also be employees (same name, address, bank account, phone number).
• Ship to address matches employee address.
• Ship to address is different from address in vendor masterfile.
• Pay to address is different from address in vendor masterfile.
• Comparison of master vendor file to customer file (check for roundtrip transactions).
• Unit prices rising rapidly or inconsistent with historical prices.
• Unit prices for same items inconsistent among different vendors.
• Matching of item numbers/descriptions being purchased and sold for scrap.
•  Inventory level fluctuations inconsistent with production or sales.
• Search for purchases outside normal course of business.

Other

• Generate list of sales transactions with pricing below established price lists.
• Generate list of inventory items that are not used in the production of any finished product.