Chapter 10
Fraud Data Analytics for Theft of Revenue and Cash Receipts

The opportunity to commit theft in the revenue and cash receipts cycle is greatly dependent on a number of factors ranging from quality of internal controls to management override and nature of the industry—the list goes on and on. With that said, I believe theft in the revenue cycle occurs with greater frequency than in many of the published reports regarding fraud.

The fraud scenarios in the revenue cycle occur through the theft of revenue, theft of inventory through the revenue cycle, theft of customer remittances, theft of other cash receipts, theft of customer credits or false sales returns, or false sales adjustment or credit scenarios. Also, there are conflict‐of‐interest schemes called pass‐through customer schemes and bribery scenarios associated with preferential terms. The primary focus of this book is theft committed by an internal source and bribery involving an internal person. Fraud scenarios committed by organized crime groups or customers are not a primary focus of this chapter.

The difficulty in providing a framework for fraud data analytics in the revenue and cash receipts cycle is that business systems vary in this cycle depending on the nature of the industry, type of cash receipts, billing, and accounts receivable systems. Is the customer an individual or a multinational corporation? Is the industry a retail location or international steel manufacturer? There are so many variables that it almost seems like an impossible task to write a chapter on this topic. Readers of this chapter may need to work a little harder on seeing the applicability of the methodology to their specific industry or their company's business systems.

In this chapter, I will discuss the types of information the fraud auditor needs to understand regarding company policies and procedures. To illustrate the concepts, examples are provided on different variations of typical business processes. In revenue systems more than standardized systems like accounts payable and payroll, the fraud auditor will need to understand the business process as to how the fraud action would occur and the opportunity provided to the internal person to commit the scenario.

Inherent Scheme for Theft of Revenue

The inherent fraud scheme structure is the starting point for fraud data analytics in revenue. The inherent scheme structure for entities is similar to vendors, except that in revenue, the entity structure is a customer. There are three entity structures in customer fraud scenarios. From a fraud data analytics perspective, there are three homogeneous categories of shell companies in the revenue cycle:

  1. The traditional shell customer, used for the pass‐through customer scheme
  2. The assumed entity shell customer, used for theft of customer credits
  3. The hidden entity shell customer, used for bad‐debt scenarios

From a fraud data analytics perspective, there are two types of real customers:

  1. Real customer that is complicit in the scheme
  2. Real customer that is not complicit in the scheme

The fraud action statements are:

  1. Theft of revenue before the revenue transaction is recorded
  2. Theft of revenue after the revenue transaction is recorded
  3. Pass‐through customer scenarios
  4. False adjustment and return scenarios
  5. Theft of customer credit scenarios
  6. Lapping scenarios
  7. Bad‐debt write‐off scenarios
  8. Currency conversion scenarios or theft of sales paid in currency
  9. Other miscellaneous revenue scenarios
    1. Theft of scrap income or equipment sales
    2. Inventory theft for resale
    3. Bribery scenarios

Identifying the Key Data and Documents

Building a fraud data analytics plan for fraud scenarios in the revenue system starts with understanding what your company sells. Do you sell inventory, services, or inventory and services? How the fraud scenarios occur is driven by the nature of your industry, how your customer places orders, and how the goods and services are delivered. How does the customer remit funds? Does the customer remit funds directly to an internal person, or are the funds remitted directly to a bank? The answers to these questions will determine how to build the fraud data analytics routines for each fraud scenario.

More importantly, will the fraud data analytics search for the theft of revenue through the sales records, inventory records, or by searching for the theft of the customer payment? As a general guideline, first the fraud data analytics searches for a missing customer invoice or a missing customer payment and then links the missing item to an internal person.

Lastly, the misappropriation of revenue occurs before the revenue transaction is recorded or after the revenue is recorded. It is that simple. Both scenarios require a concealment strategy to hide the misappropriation of the revenue, inventory, and customer payments.

Customer Sales Records

For sales orders, the revenue process starts with either a customer placing an order or a salesperson placing an order. Customer orders can originate from a customer (a purchase order), a salesperson using an internal sales order form, or via a customer appointment. The importance of the sales order transaction is that it is the first recorded event that a sales transaction may have occurred. These records are useful in the theft of revenue before the revenue is recorded or the theft of customer remittances.

Sales invoices are recorded in a sales journal, and the invoices typically have an invoice number, invoice date, invoice amount, description of the item sold, and are recorded in a general ledger account. The sales invoice is the record indicating that a sales transaction occurred between a customer and your company. These records are useful in the theft of revenue after the revenue is recorded.

Inventory records indicate that something was purchased and something happened to the inventory. It was sold, stolen, or written off.

Shipping records indicate where the item was shipped and the method of acceptance by the customer. The shipping records establish that the inventory was removed from your company for some purpose. These records are useful for pass‐through scenarios.

Service records indicate where a service was provided, who provided the service, what service was provided, and whether the service provided labor or labor and parts. These records are useful in the theft of revenue before the revenue is recorded or the theft of customer remittances.

Customer Payment Records

Customer payments are in the form of currency, checks, credit card, electronic transfer, or a financing payment. Customer payments are recorded in a cash receipts journal and a customer account. Typically customer payments in the form of currency or checks are the most prone to theft.

Customer accounts receivable records reflect all recorded customer activity as to customer invoices, customer payments, and customer adjustments or returns. Accounts receivable records provide a history of all customer activity. These records are useful for false adjustment scenarios, theft of credit balances, lapping scenarios, and bad‐debt write‐off scenarios.

Understanding how customer master file data, sales order data, sales invoice systems, and customer remittance files relate to each fraud scenario is the basis of developing the fraud data analytics plan.

Planning Reports for the Theft of Revenue and Customer Remittances

In theft of revenue scenarios the starting point is the margin analysis when focusing on the revenue transaction. The follow‐up to margin analysis is the use of disaggregated analysis to the lowest finite point possible. When focusing on the theft of customer payment, it is the composition of cash receipts as to the type of cash receipts or those transactions that cause the customer balance to reflect a zero balance due. The fraud data analytics plan should start with summary reports by transaction type, by customer, and by an internal person. Remember, the planning reports are not intended to find the fraud scenario but are intended to assist in the likelihood question of which fraud scenarios are more predictable.

Theft of Revenue Before Recording the Sales Transaction

The attributes of theft of revenue before revenue as recorded for purposes of this chapter is defined as:

  • Goods or services were provided to the customer.
  • Customer initiated an action, either a customer order or a customer appointment.
  • Customer is either complicit or not complicit.
  • Customer payments are not mailed to a lockbox or electronically transferred to the bank.
  • Customer payments are received directly by an internal person.
  • For inventory, the internal person either diverts the customer payment or sells the inventory.
  • For services, the customer payment was diverted by the internal person providing the service or by an internal person in a position of receiving a customer payment.

Starting with theft of inventory, the item is removed from the premises before a sales transaction is recorded. In one sense, the scheme is an inventory theft scheme. In one sense, the scheme is a theft of revenue. The answer to the question depends on the person committing the scheme. Is the scheme being perpetrated by a warehouse employee or someone in the sales function? The bottom line is there is no entry in a sales journal. The lack of a recorded sales transaction allows the internal person to misappropriate the customer payment or the inventory for resale.

There are scenarios that involve theft of revenue before creating the sales invoice by initiating a sales order that causes the necessary documents to be created to allow the removal of inventory. The sales order then is voided or deleted, resulting in no sales invoice being created, or the sales invoice is changed to a zero invoice. The internal documents allow for the inventory to be removed from the premises without detection.

The fraud data analytics for the previous scenario needs to search the sales order file for deleted or voided sales orders or search the sales invoice file for a zero dollar invoice or a missing sales invoice number. The frequency of the event by customer or the internal person is the first clue. Off‐period analysis linking the change to an internal person that is changing the sales order is also useful.

There are scenarios that involve theft of revenue before creating a sales invoice that occur by simply accepting the customer payment and providing the customer with the inventory. The fraud data analytics starts with summarizing sales by product and the number of units sold. The fraud audit procedure is to identify a supply item that correlates specifically to the sales unit. In one project, the theft involved the selling of cakes. The purchased item for comparison to the sales records was the cardboard round used under the cake. The analysis projected that over 2,000 cakes sales were misappropriated in one year, resulting in the loss of over $200,000.

The fraud data analytics through inventory records needs to compare purchase records for inventory to the sales records associated with the inventory record. The initial analysis is focusing on purchase‐units (adjusted for inventory balances) that exceed the corresponding revenue units, which indicates missing revenue. If the inventory was shipped, then link the missing items to shipping address. The sample selection will focus on the frequency of the missing item to a common address. If the item was not shipped, the sample selection is based on purchase units exceeding sales units.

Theft of revenue for services indicates that the customer ordered the services, the services were provided, and the customer payment was diverted. The fraud data analytics starts with the customer appointment records, followed by matching to a customer invoice. The sample selection is based on the frequency of sales orders with no sales invoice. The sample selection is then refined based on the frequency of no sales invoice that links to an internal service provider.

The theft of customer payment is typically currency. The first data analytics is to summarize customer payment by the type of customer payment: currency, credit card, check, electronic transfer, or financing. Since credit card payments, electronic payment, and financing occur through an independent party, the most likely theft is customer payments in the form of currency or customer checks. Theft of customer checks is not as challenging as many people believe. The check can be negotiated by a forged endorsement, check‐cashing companies, night deposits, or conspiring with a dishonest banker.

The fraud data analytics for the theft of customer payments should start with a summary of cash receipts by type of cash receipts over an extended period of time. The analysis is looking for a downward trend in the percentage of currency. Once identified, the fraud data analysis is similar to theft of revenue before the revenue transaction is recorded.

Theft of Revenue after Recording the Sales Transaction

Theft of revenue after the revenue is recorded means that there is an entry in the sales system indicating a sales transaction. In this scenario, the internal person must cause the sales invoice to be voided or deleted, change the sales invoice to a zero amount, or cause the customer invoice to reflect payment. The fraud data analytics should search the sales invoice file, the cash receipts journal, or the customer's accounts receivable records.

In the theft of revenue scenarios, the fraud scenario will occur either with a repeated pattern to a customer or a random pattern of customers. The repeated pattern indicates the internal person is in collusion with that customer. In the repeated pattern scheme, the customer forwards the payment to the internal person or the internal person is motivated by a personal relationship with the customer. In the random pattern scheme, the internal person is not in collusion with the customer and the internal person is diverting the customer payment.

The fraud data analytics on the sales invoice file will use the specific identification strategy searching for gaps in the sequential pattern of sale invoice numbers or search for zero dollar invoices. If a change record is available, then search for changes to customer invoices. If there are gaps in the sales invoice number or zero dollar invoices, the fraud data analytics has found the theft after recording.

If no gaps in the invoice numbers, the fraud data analytics will search the customer accounts to determine how the customer account was caused to show a zero balance:

  • Pattern and frequency of adjustments to a specific customer with an occurrence rate that exceeds normal business standards.
  • Pattern and frequency of adjustments associated with an internal person with an occurrence rate that exceeds normal business standards.
  • Pattern and frequency of adjustments to a random customers account indicates transfer of dormant customer credit balances or dormant credits transactions to cause the customer balance to reflect a zero balance.

Pass‐through Customer Fraud Scenario

The pass‐through customer scheme is composed of three entities. The first company is your company, the second entity is a shell company (shell customer), and the third entity is a customer to the shell customer (real customer). The shell customer is controlled by an internal person, typically someone in the sales function. The internal person uses their position of authority to sell to the pass‐through customer at deep discounts, which enables the pass‐through customer to sell the item in the marketplace.

The pass‐through customer purchases the goods from your company with the full intent of reselling the goods or services to the real customer. Your company ships the goods to the real customer versus the front customer. In more advanced scenarios, the shipping address is a freight‐forwarding company. The real customer remits funds to the pass‐through customer. The pass‐through customer remits the funds for all purchases to your company. In real life, there may be different variations; however, fundamentally, all pass‐through customer scenarios operate in a similar manner. In Chapter 7, there is an extensive discussion of pass‐through vendors. Use that discussion to adapt the pass‐through customer scenarios for the potential permutations of entity type.

FDA for Pass‐through Customer Scenarios

The fraud data analytics starts with the entity because the entity structure is a false entity. The false customer testing follows the same logic as followed in Chapter 6 for shell companies.

  • Match to employee database for address and telephone. Change analysis for dormant customers as described in Chapter 6.
  • Specific identification testing using the missing information analysis.
  • Specific anomaly testing:
    • Credit limit is higher‐than‐normal standards for a new customer or rapid increase of the credit limit.
    • Email address that uses a public email address.
    • No bank account information.
    • Company name is nondescriptive (i.e., initials only).
    • Creation date of customer is within a maximum of 48 months of audit scope date. Most likely, I would start the analysis at 24 months and then review the results.
    • Duplicate shipping address for two or more customers.
    • Shipping address links to freight‐forwarding address.
    • Multiple shipping addresses for one customer in a common geographic area.

The fraud data analytics for the transaction analysis starts with the cash receipts journal for the pass‐through customer payments:

  • Search for a sequential pattern of check numbers from the customer in the cash receipts journal.
  • Search for a limited range of customer check numbers from the customer in the cash receipts journal.

The fraud data analytics for the sales invoice file for the pass‐through customer follows:

  • Compare unit price on customer invoice to product file, searching for a pattern of deep discounting.
  • Search customer invoices with a line‐item discount.
  • Search customer accounts receivable file for a frequency of sales adjustments.
  • Search for customers within the 48‐month period that are receiving preferential terms (e.g., no shipping charges).
  • A common tendency is the customer aging becomes more delinquent over time.

False Adjustment and Return Scenarios

In this scheme, a fictitious sales return or sales adjustment is posted to a customer's account by an internal person. To illustrate the concept:

  • In retail, the store clerk provides a refund to a customer credit card for a return that never occurred.
  • In retail, a customer commits a shoplifting scheme by first stealing the item, then returning the item for a credit to his or her account.
  • In the telecommunication industry, customer service personnel are authorized to provide credits to customers that complain of service‐related issues.
  • In the health food or vitamin industry, the sales force is authorized to provide credits for items that were not sold before their expiration date.

The fraud data analytics brainstorming starts with understanding how an internal person can cause a false adjustment or false return to be posted to a customer's account. The second aspect is to understand how the internal person benefits from the fraud scenario. The use of frequency analysis associated with either a customer or internal person is a good starting point.

FDA for False Adjustment and Return Scenarios

The starting point for the fraud data analytics is to identify the internal person that initiates the sales return or sales adjustment. The second aspect is to understand whether the return and adjustment is matched to a sales transaction or is posted to the customer balance. The last aspect is to understand whether the internal person enters the transaction, as in retail, or whether the internal person's actions cause another noncomplicit internal person to enter the transaction. The information is critical to develop the right scenario for the industry and your company.

When the internal person can enter the transaction, the starting point is a summary of transactions by internal person by customer. Assuming the coding for a sales adjustment is different from a sales return, the summary of transactions should be by type of transaction. The summary report should be by internal person by customer, providing frequency of transaction and aggregate dollar value. The key data element is the frequency analysis by internal person by customer. If the internal person cannot enter the transaction, then the frequency analysis is by customer with greater attention to the aggregate dollar value by customer.

Since the volume of data is extensive, the use of the inclusion and exclusion theory is critical to reduce the size of the initial report. The sample selection is based on the frequency of adjustment to one customer account. If no high frequency is noted, the use of data interpretation becomes necessary in reviewing the data for an anomaly that links to a customer or an internal person.

Theft of Customer Credit Scenarios

In this scenario, a valid sales return or sales adjustment is posted to a customer's account. Typically, the credit transaction becomes dormant. In the scenario, an internal person steals the dormant credit by transferring the credit to a customer account that is under the control of the internal person. The under control concealment theory indicates the internal person is linked to the customer address or customer bank account number. The concept of dormant credit may have different meanings, depending on how credits are applied to a customer's account. The dormant credits are:

  • Customer is a dormant customer with a credit balance.
  • Open credit that the customer has not used for whatever reason.
  • Open credit that has not been applied to an invoice.

The second scenario is to change the dormant customer address to an address that the internal person controls either directly or in collusion with a third party. The fraud data analytics starts with changes to customer addresses or bank account information. The second step is to search the accounts for refunds. The sample selection is based on the frequency of refunds to an address or the frequency of the transfer of a dormant credit by the internal person.

The conversion of the theft of customer credits can occur through accounts receivable or accounts payable. In accounts payable the goal is to have a refund issued to a customer that effectively is under the control of the internal person. In accounts receivable, the goal is to provide a real customer with a credit that belongs to another customer. The motivations to falsely transfer the customer credit might be a kickback from the real customer or a family or personal relationship with the customer.

FDA for Theft of Customer Open Credits through Accounts Payable

In the accounts payable approach, there are two general approaches:

  1. Create an FDA file of dormant customer accounts with a recent refund. In Chapter 6 on shell companies, we provide an FDA for vendors; the FDA for customers would be similar:
    1. The customer master file should have a code indicating that the customer is inactive. Search the change file for changes to the activity code from inactive to active.
    2. If there is a change file, search for a change to the address or bank account.
    3. If no change file is maintained, then compare a customer master file from two years ago to the current year, searching for changes to the activity code. There is nothing magic about the two‐year point. In your company, you may decide to shorten or expand the duration.
    4. Using the accounts receivable file from two years ago, summarize the debits and credits. Any customer that has no activity is a dormant customer. Then perform the same summary for the current year, searching for customers with activity. Then match the two‐year‐old customer file with no activity to the current‐year file customer file and identify any customers that were dormant and no have current‐year activity.
  2. An internal person causes a change to the customer's address or bank account for a dormant customer account to an address or bank account that the internal person controls. The second step for the fraud perpetrator is to initiate a refund request on behalf of the dormant customer. Accounting then issues the refund and either mails or electronically transfers the refund to the fraud perpetrator. The fraud data analytics should create a homogeneous data file of all customer refunds and search for a duplicate address or bank account in the refund address.
  3. Using the list of dormant accounts, the goal is to search for transfers of dormant customer credits. Summarize the transfer of credits focusing on the recipient of the credit. If the scenario is occurring, the report should show multiple credits from multiple customer accounts going to one customer account. The customer account receiving the multiple transfers would have multiple refunds.
  4. The internal person in collusion with a real customer may transfer credits from a dormant customer, and the real customer may request a refund. This item is different from the previous item because the focus point is the transfer of credits versus the change of an address.

FDA for Theft of Customer Open Credits through Accounts Receivable

In the accounts receivable system, the common data element is the transfer of credits to a customer account. The motivation is not a critical element to the fraud data analysis, except for the frequency analysis associated with the customer receiving the credit. In this scheme, the internal person is in collusion with a customer.

The fraud data analysis starts with identifying the transfer of all customer credits, whether payments, sales returns, or sales adjustments. The next step is a summary of transfers by internal person, then by customer. The summary report should provide both frequency and dollar aggregate of the transfers. The sample selection is based on the frequency of transfers to a customer. The person making the transfer is the secondary criterion of the sample selection.

Lapping Scenarios

In this scheme, an internal person misappropriates a customer's payment for a recorded sale. To hide the theft of the customer payment (first customer), the internal person applies another customer's payment (second customer) to the first customer's account. The scheme continues with the theft of another customer's payment with the application of another customer's payment. Eventually, the fraud scheme becomes so large that the sheer weight of the fraud scheme becomes too difficult for the internal person to hide. There are many variations of the scheme. The scheme can apply to various industries, although the mechanics of the scheme is the same.

The key to the scheme is the ability to steal a customer's payment and apply a credit to the customer's account. The credit to the customer's account is the audit trail for the fraud data analytics plan. It is important to understand if the customer payments are applied to a specific invoice or a customer balance. The fraud data analytics will vary depending on the how customer payments are applied.

FDA for the Traditional Lapping Scenario: Applied to a Balance

The fraud data analytics should start with the cash receipts journal. The analysis is simple. Using the cash receipts journal, identify the customer number, customer name, cash receipt amount, date of customer's remittance, and the control number on the remittance. The fraud data analytics will create monthly columns of the customer remittance number by customer. The fraud data analytics will compare the remittance control number on the first month to the remittance control number on the second month, etc. The report should subtract the control number from the first column from the control number on the second column, and so on. Since control numbers are typically ascending, the fraud data analytics is looking for a negative change in the calculation. The reason for the negative change is the perpetrator is applying any customer's payment to any customer account balance.

FDA for the Traditional Lapping Scenario: Applied to Customer Invoice

The fraud data analytics should start with the cash receipts journal. The fraud data analytics will depend on the extent of detail captured in the cash receipts journal and depend on whether the perpetrator is posting both the cash receipts journal and the accounts receivable records. The weakness in concealing the scheme for the perpetrator is finding a customer's payment that matches the customer's payment that was stolen. The fraud data analytics is searching for a customer payment that is applied to more than one customer's account. If the remittance amount is posted in total, then the cash receipt transaction may have more than one customer's account number. If a customer remittance amount is split in the cash receipts journal, then search for a duplicate control number, duplicate date, and more than one customer number. The key in both situations is the multiple customer account numbers.

FDA for the Traditional Lapping Scenario: Use of Dormant Credits

The theft of a customer's payment may also be concealed by applying a dormant credit from one customer's account to the account with the customer's remittance that was stolen. The fraud data analytics should search for transfers between two customers' accounts. The date of the credit that is transferred is the key data element for sample selection.

Illustration of Lapping in the Banking Industry with Term Loans

Loan officers have been known to issue loans to fictitious customers and then divert the bank funds. I use the term loan officer loosely to mean any bank official who has the authority or capacity to issue a loan. To illustrate the concept, we will assume the loan is a 90‐day term loan. At the end of the 90 days, the loan is due. To conceal the fraud scenario, the loan officer must find a way to repay the loan or ensure the loan does not appear on the delinquency report. The first way is to issue a new loan to repay the old loan. The new loan is either in the same customer's name or in a different customer's name. The second way is to divert funds from a dormant bank account or a bank account that has minimal activity and minimal monitoring by a customer. The last way is to use a variation of the lapping scheme to keep the loan from appearing on the delinquency report.

FDA for Lapping in the Banking Industry with Term Loans

Starting with a new loan, the fraud data analytics should summarize loan activity by customer over an extended period of time. The FDA is searching for a pattern of customer loans with term loans that are consecutively issued by using the dates of the term loan. Each term loan should have an increasing balance because the new loan is used to pay the old loan plus the interest.

The second approach occurs when the second loan used to pay the first loan is in a different fictitious customer's name. Using the cash receipts journal, the search is for a customer name or customer number on the cash receipts journal that is applied to a different customer loan balance.

The third approach is when the loan officer diverts funds from a dormant customer to pay off the fictitious customer loan balance. The loan officer may either transfer the funds to a bank account in the fictitious customer's name to repay the loan or transfer the fund directly from the dormant customer to the fictitious loan balance. Using the cash receipts journal, the search is for a customer name or customer number on the cash receipts journal that is applied to a different customer loan balance. If the payment is directly from the dormant bank account, the FDA starts with first identifying dormant accounts that have become active. The FDA is similar to the cash receipts journal test, searching for payments of a loan balance that match a withdrawal from a dormant account.

Bad‐debt scenarios occur through either a customer or an internal person

There are three primary variations of the bad‐debt scheme. The variation is caused by the person committing the scheme, which is explained below. The fraud action is the same: The customer balance is written off based on false reasons. The second aspect is whether the customer remains active after the false write‐off. The conversion occurs through a kickback to the internal person, or the internal person commits an asset misappropriation scheme by diverting the customer payment. Many companies have internal procedures that require delinquent customer payments to be directed to the internal collection person. The internal collection person could also advise the customer to wire the funds to a special bank account, thereby diverting the customer payment. Remember, desperate people will do desperate things to conceal the fraud scenario.

  1. Customer intentionally does not pay for goods and services. At some point, your company stops selling to the customer and eventually the customer balance is written off. However, the customer creates a new company and starts the process all over again.
  2. An internal person accepts a kickback from a customer that is in a severe collection status to write off the balance of the account. Typically, the internal person causes a new customer file to be established for the customer, and the delinquent customer is complicit.
  3. An internal person working in collections diverts payments from customers that are in severe collection status. The internal person writes off the remaining customer balance and causes a new customer file to be established for the customer. In this scheme, the customer is not involved.
  4. An internal person working in collections diverts payments from customers who are in severe collection status. The internal person then uses dormant credits from another customer account to offset the theft of the customer payment. In this scheme, the customer account remains intact.

The common element in the scheme is that the delinquent customer is reinstated into the active sales file with a different identity. The fraud data analytics starts by identifying delinquent customers; that is the first data criterion. The second criterion is to identify the delinquent customers that are closed or have become dormant as to sales activity. Using the homogeneous data file the fraud data analytics performs a duplicate test by comparing the delinquent customers to the active customers. The duplicate test is based on address, shipping address, bank account, telephone number, government identification number, email address, and contact person. The first analysis is using the exact match followed by the close match.

In the use of dormant credit scheme the fraud data analytics starts with the homogeneous data file of delinquent customers. A key data element is the date the customer was classified as delinquent. The fraud data analytics then searches the customer account for transfers of credits or payments to a delinquent account.

Currency Conversion Scenarios or Theft of Sales Paid in Currency

In this scheme, an internal person is misappropriating currency received from customers. The internal person is concealing the theft of currency by holding back customer checks or using checks from miscellaneous sources for future deposit to conceal the theft of currency.

In theft of revenue scenarios, currency is usually the first form of cash receipts that is misappropriated. From an internal control perspective, the accounting system should categorize cash receipts as to the form of cash receipts: currency, customer check, credit card, etc. A report should be prepared periodically summarizing cash receipts as to the form of cash receipts. If currency is being misappropriated, then currency as a percentage of total cash receipts will decrease. In my experience, in one case currency as a percentage of cash receipts went from 25 percent to 1 percent. The internal person misappropriated over a quarter of a million dollars in a two‐year period.

The first FDA is to summarize by the form of cash receipts for a 12‐month period; in this way, all the cycles of the year are reflected on the FDA report. The search is for downward trend of currency as percentage of total cash receipts. The fraud auditor may also want to benchmark changes to changes in personnel.

If the cash receipts journal does not capture the form of cash receipts, then the FDA should search for the absence of an event associated with the receipt of currency. The key in the analysis is comparing the amount of cash receipts to an income production statistic that the perpetrator cannot control or alter.

To illustrate the concept, a medical practice receives copays from patients. The FDA would create a homogeneous data file of copays and patient billings. The first report would be a summary of copays by day, providing frequency and aggregate dollar. The second report should be able to match all billings for office services to copays, understanding that not all visits require copays. In a professional service business associated with tax preparation, the FDA would reconcile customer's payments to the number of tax returns filed. The key is to use a second file that the perpetrator cannot alter or change.

Theft of Scrap Income or Equipment Sales

Theft of scrap income or miscellaneous equipment sales is a common scheme primarily because of the ease of committing the scheme, and lack of formalized procedures for controlling the sale and the receipt of scrap income. The fraud scenario is a crime of opportunity. The scenario is on point with the theft of revenue before the revenue transaction is recorded. From an internal control perspective, scrap income should be recorded in a miscellaneous income account for easy monitoring. Unfortunately, in my experience scrap income is posted in an expense account associated with the expense associated with the scrap sale.

The first step is to summarize scrap income over a period of time. Since scrap sale scenarios have been known to occur over long periods, the scope of analysis may be greater than two years. The first red flag is no scrap income. The second red flag is scrap income that is less than expected.

In most scenarios, the audit trail for fraud data analytics stops at this point. However, if the scrap income is associated with a project involving the replacement of a tangible asset, the next step is to compute the amount of tangible product purchased and compare the amount purchased to the dollar value of the scrap income. To illustrate the concept, consider the following:

  • In one project, the theft of scrap income was associated with the replacement of water pipe. Based on the footage of the replacement water pipe, we calculated the amount of scrap water pipe. We used actual scrap water pipe to determine the weight of the scrap pipe and then estimated the total amount of scrap pipe in yards. Then the fraud audit procedure compared the projected scrap income to the scrap income deposited in the company bank accounts.

Theft of Inventory for Resale

Theft of inventory scenarios is not truly a theft of revenue scenario. The crime is associated with weak physical inventory controls or weak internal controls over disposal of inventory. However, it would seem remiss not to at least mention the scheme.

Similar to the theft of scrap income, the theft of inventory does not provide an audit trail, except for something is missing. Missing red flags are associated with inventory shortages or a frequency of inventory adjustments associated with inventory write‐off.

If the scheme involves theft between two locations, the fraud data analytics would focus on matching transfers between the two locations. For those transfers that do not have a match, the second step is to match the missing transfers to someone. If the theft scheme is simply removing the inventory, then there is no audit trail.

If the tangible good is not recorded in an inventory account, then the fraud data analytics would use the summary tool to determine the quantity of an item purchased. Using data interpretation, the sample selection is based on whether the quantity purchased is reasonable for the business operation.

One last approach is based on understanding what inventory or supplies are purchased and would have easy resell value. The fraud data analytics for this approach is similar to a targeted expenditure review. This approach requires the fraud auditor to truly think like a thief.

Bribery Scenarios for Preferential Pricing, Discounts, or Terms

The mention of bribery generally causes auditors to focus on the procurement cycle. However, bribery also occurs in the sales cycle when a customer wants favorable pricing or favorable terms. As indicated in the procurement chapter, the fraud data analytics uses inference analysis. If it is too good to be true, then it most likely is false. The starting point is to understand policies and procedures for customer pricing and customer terms and conditions. The second aspect is to identify the internal person who has the authority to provide customer pricing and terms. I suggest the fraud auditor review the concept of internal control inhibitors in developing the permutations of the person committing the scheme. While the fraud action is the critical aspect, the internal person committing the scenario will assist the fraud auditor in the interpretation of the results.

The third aspect will depend on the nature of your industry. In banking, it is the issuance of a loan to a customer that is not creditworthy. In the manufacturing or wholesale industry, bribery occurs by providing a customer with favorable pricing. The fraud auditor needs to understand the likely benefits for which the customer would be willing to a pay a bribe.

The fraud data analysis is by pricing, specific sales or payment terms, or customer acceptance. The pricing is either based on differences between book price and sales invoice price or customer discount. Terms relate to those items that provide the customer a benefit such as credit limit or payment terms. The sample selection will use the data interpretation to select a sample based on anomalies for your company.

Summary

To repeat, fraud data analytics in the revenue cycle more than any other core business systems must be adapted to the industry and the company's internal revenue systems, policies, and procedures. The selection of the three fraud data analytics every audit plan should include is impossible. With that said, the single fraud data analytics routine is based on the fraud scenario that has a common occurrence in the industry:

  • In the banking industry, the fraud data analytics should search for fictitious term loans.
  • In industries selling a tangible good, the fraud data analytics should search for the pass‐through scheme.
  • In industries in which the customer pays for goods or services with currency, the fraud data analytics should search for the theft of currency.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset