Chapter 7
Fraud Data Analytics for Fraudulent Disbursements

For the perpetrator, fraud in the disbursement cycle is like a child in a candy store. The child has a favorite candy, and the child seldom takes one piece of candy. For fraud data analytics, the favorite candy is the fraud scenario, and frequency analysis is the amount of candy. Just like the candy store, the choice of candy is limited to the candy in the store; for the perpetrator, the number of fraud scenarios is limited to the number of fraud scenarios in the fraud risk structure that links to the perpetrator.

Inherent Fraud Schemes in Fraudulent Disbursements

The inherent scheme fraud theory states that the number of inherent schemes and scenarios are finite and predictable. The fraud auditor will need to convert the generic inherent scheme to a company‐specific fraud scenario, and if a targeted expenditure audit, to the language of the expenditure area.

The inherent scheme comprises an entity structure that is a supplier and a fraudulent action. The following fraudulent actions comprise the list of inherent disbursement schemes. To create the fraud scenario, the fraud auditor will need to link the person committing the scheme and the entity structure to the action statement. The auditor should write the scenario statement consistent with the approach described in Chapter 2.

  1. False billing is the process of paying a shell company for goods or services that are not received.
  2. Pass‐through billing is the process of paying for goods and services that are received when three entities are involved. The three entities are described later in the chapter.
  3. Overbilling is the process of paying for goods and services that are received from a real vendor. There are three major categories of overbilling based on the person committing the scenario and the method of overbilling:
    1. Vendor alone by exploiting weaknesses in the internal controls.
    2. Vendor in collusion with an internal source, with the overbilling occurring before the procurement process. This permutation is discussed in Chapter 8.
    3. Vendor in collusion with an internal source with the overbilling occurring after the procurement process, avoiding the procurement process or through the false administration of the purchase order or contract.
    4. The methods of overbilling are:
      1. Overcharging on price.
      2. Charging:
        1. 1. For a higher quantity than delivered.
        2. 2. For a higher quality than delivered (product substitution).
        3. 3. For goods/services that are not needed by the company.
      3. False charges on real invoices.
      4. False add‐on charges.
      5. Intentional duplicate payment.
      6. Intentional overpayment and divert refund.
  4. A personal expense is the process of paying for personal expenses that are inuring to the benefit of the internal person.
  5. Disguised expenditures occur when an internal person purchases goods with the intent of committing a theft scheme.
  6. Conflict of interest is the process of paying for goods or services that are received from the vendor but an internal employee has an undisclosed ownership in the vendor. Conflict of interest in the selection process, with no ownership, is discussed in Chapter 8.

The easiest way to explain the process of converting the inherent scheme to a fraud scenario for a targeted expenditure is to illustrate the concept. For purposes of illustration, we will assume internal collusion with an internal budget owner, the expenditure area is professional consultant fees, and the consultant is a real supplier that is overbilling on the contract:

  1. The internal budget owner operating in collusion with the consultant charges a higher hourly rate on the invoice than the hourly rate in the contract, resulting in the loss of company funds. The reason for the higher hourly rate is the concealment strategy.
  2. The internal budget owner operating in collusion with the consultant charges for more hours worked than the number of hours originally authorized in the contract, resulting in the loss of company funds. The internal person approves the invoice knowing that hours are overstated, which is part of the concealment strategy.
  3. The internal budget owner operating in collusion with the consultant charges for hours worked by a para‐professional at the consultant's rate, resulting in the loss of company funds. The internal person approves the invoice knowing that hours were performed by someone else, which is part of the concealment strategy.
  4. The internal budget owner operating in collusion with the consultant lists fictitious services on the invoice, resulting in the loss of company funds. The internal person approves the invoice knowing services were not performed, which is part of the concealment strategy. Also, in all four examples the internal person receives a kickback from the consultant.

Identifying the Key Data: Purchase Order, Invoice, Payment, and Receipt

The expenditure cycle comprises a purchase requisition, purchase order, vendor invoice, receiving document, and the payment, which can occur through a paper check or electronic transfer. The understanding of the information on these documents becomes the basis of fraud data analytics for the fraud action. Consistent with Chapter 3, the documents all have a control number, a control date, an amount, a line item description, and are recorded to a general ledger account.

As part of the planning process, the fraud auditor should understand when the document is issued, by what function, and the true internal control effectiveness. Issuing purchase orders after receiving the vendor invoice implies that the purchasing function was circumvented; therefore, the internal control effectiveness is reduced to a low level. If separation of duty concepts is not enforced, then control effectiveness must be considered low. The use of internal control avoidance testing can provide a good barometer as to the true internal control effectiveness.

The requisition might be initiated through a document or through an automated reorder process. The requisition is more critical in the search for procurement fraud scenarios versus payment fraud scenarios.

The purchase order is intended to create a contract between the vendor and your company. The placement of the purchase order is what causes the vendor to supply the goods or services. It is important to understand when purchase orders are issued within your company. Is the purchase order created before the vendor invoice, is the purchase order issued after the invoice, or is no purchase order issued? The use of disaggregated analysis on when the purchase order was issued may provide a clue to fraud opportunity.

The receiving document is created upon the receipt of the tangible goods to signify both the quantity and quality of the goods are consistent with the description on the purchase order. It is important to understand what tangible goods are received through the receiving function and what tangible goods bypass the receiving function.

The proverbial three matches occur when the vendor invoice matches the purchase order and the receiving document. This process initiates the payment to the supplier.

The payment occurs through a paper check or through an electronic payment. It is important to understand what causes a payment to occur. Is it through a three match or through an internal approval signature? If the payment occurs through electronic payment, then we know what bank account received the funds. If the payment occurs through a paper check, then all we know in data analytics is the payee listed on the check.

Documents and Fraud Data Analytics

Fraud data analytics for the fraud action statement is the process of examining the purchase order, the vendor invoice, the receiving document, the payment, and the general ledger account for red flags consistent with the specific fraud scenario. The fraud auditor has two approaches: the compliance approach or the fraud scenario approach.

The first approach assumes the auditor is performing a compliance‐based audit. In the compliance approach, the auditor searches for noncompliance with a procedure. Then the auditor searches for a pattern or frequency of noncompliance associated with a person or entity. In the compliance approach, the auditor must link the noncompliance to a fraud scenario either through additional fraud data analytics or through audit testing procedures. In the compliance audit the fraud data analytics is based on the internal control avoidance strategy.

The second approach is based on the fraud scenario approach, which is the basis of this book. In this approach, we build fraud data profile of the fraud action using the control number, date, amount, and description on the purchase order, vendor invoice, payment, and the general ledger account. In the scenario approach, the fraud data analytics strategies of specific identification, internal control avoidance, data interpretation, and number anomaly are the basis of the fraud data analytics approach.

FDA Planning Reports for Disbursement Fraud

The first step is to gather data to identify homogeneous data sets within the expenditure data file. The second step is to use disaggregated analysis to further shrink the homogeneous data set based on specific fraud scenarios. The homogeneous data sets are created based on the scope of the audit. A few illustrations are:

  1. Major expenditure categories within the company.
  2. Number of records in one year for purchase orders, invoices, receiving reports, and payments.
  3. Number of vendors on master file, as to active and inactive.
  4. For vendor master file testing, how many fields are blank versus populated.
  5. Purchase order—compare purchase order date to invoice date summarizing by dollar and frequency purchase orders issued before, equal to, or after the invoice.
  6. Vendor invoice summary—providing aggregate spend level, number of records, maximum invoice amount, minimum invoice amount, and average invoice amount.
  7. Number of payments that occur through paper check and electronic payment by vendor.
  8. Vendor invoices with and without a purchase order or vendor invoices with no independent receiving document.
  9. Identify nuisance—nuisance vendors are those vendors that will create false positives by the nature of the vendor or the type of expenditure (e.g., in a duplicate date test a delivery service company may have many invoices on the same date). The plan should attempt to identify these vendors before running the test. This concept is offered from a practical perspective versus a fraud concept.

FDA for Shell Company False Billing Schemes

The inherent scheme structure has two components for fraud data analytics plan. The shell company is discussed in Chapter 6. The fraud data profile for the false billing action statement can be characterized by these nine tendencies:

  1. Invoice amount has the following tendencies:
    1. Invoice amount is below a threshold, requiring a second approval.
    2. The minimum invoice is greater than $1,000. An exception to this guideline is the first invoice, which may be a small amount to avoid scrutiny on setting up a new vendor.
    3. The amount may be an even amount or a recurring amount. The type of expenditure impacts the use of even number theory or recurring amount theory.
  2. Invoice number has the following tendencies:
    1. Invoice number is a sequential pattern.
    2. The first number is a low number, often 1,100 or 1,000.
    3. If not a low number, the invoice will be an even number.
  3. Invoice date has the following tendencies:
    1. The invoice date field by itself is not a critical date; it is possible that there could be a tendency to create the invoice the same day of the week.
    2. Invoice dates consistent with a regular pattern of being created on non‐business days.
    3. The invoice date is critical in the comparisons to purchase order date and payment date. For purchase order date, when the purchase order is issued after the invoice, it may indicate circumvention of purchasing. For payment date, we are searching for speed of payment.
  4. Invoice description has the following tendencies:
    1. Tends to be for services.
    2. If for tangible goods, the anomaly is based on the lack of a numeric or alpha description consistent with the tangible goods.
    3. Description on the invoice is vague (e.g., professional services).
    4. General ledger accounts are an easy way to identify service‐based invoices.
  5. Other tendencies of the false billing scenario:
    1. The number of invoices is 52 (one a week) or less.
    2. The aggregate spend level with the vendor is in the bottom third of all vendors.
    3. There is no purchase order; purchase order is an open purchase order or the purchase order is issued after the invoice.
    4. If the scheme is perpetrated by someone in accounts payable, they may use a dormant open purchase order.
    5. Speed of payment is faster than normal customer payment terms.
  6. Specification identification:
    1. As a reminder, specification identification is the process of identifying a specific attribute of a purchase order, invoice, or payment that would cause the selection of a vendor for testing. While some scenarios have some great red flags, it is the weight of all the red flags that should cause the selection of the transaction or entity for audit examination.
    2. The fraud data analytics scoring sheet is a critical tool within the specific identification strategy. To illustrate how the scoring sheet would highlight a vendor transaction history of expenditures:
      1. There are no purchase orders associated with the invoices.
      2. Number of invoices is 12 over a 12‐month period.
      3. Invoice total amount is an even amount.
      4. Invoice amount is a recurring amount for the 12‐month period.
      5. Invoice number pattern is a sequential pattern.
      6. First invoice number is a low number.
      7. The aggregate of attributes causes the selection of the vendor versus one specific attribute.
    3. The following red flags should be ranked the highest for the search for a false billing:
      1. A sequential invoice number pattern. At a minimum, it appears the vendor has one customer. That customer would be your company.
      2. All invoice amounts are below a control threshold. The person committing the scheme wants low visibility.
      3. General ledger category associated with services.
  7. Internal control avoidance:
    1. Structuring vendor invoices is the process of splitting one vendor invoice that would exceed the control level into two or more invoices to avoid a control level. In vendor invoice structuring, the fraud auditor needs to decide if fraud data analytics will focus on total invoice amount or line items on an invoice. The matching then occurs on invoice date and/or the line item description. The second consideration is whether the structured invoice is associated with one vendor number or two or more vendor numbers.
    2. Using one vendor number, the invoices are structured to stay below the control threshold. Structuring is when two or more transactions in the aggregate exceed a control level. The FDA should search for two invoices associated with a common vendor number which have a match on invoice date or invoice number and that each invoice is below a control threshold; however, in the aggregate the invoices exceed the control threshold.
    3. Using two or more vendors, each vendor invoice is below the control threshold; however, in the aggregate the invoices exceed a control level. The testing for hidden entities in Chapter 6 is the start point. Then search for duplicate pattern associated with invoice number, invoice date, or invoice amount.
    4. The challenge is linking the two or more vendors to a common person. The linkage could occur through the person that created the entity, department number, or project number.
    5. Layering invoices is similar to structuring invoices; however, in layering the split invoices are recorded in multiple cost centers or companies where an individual has management control.
    6. Off‐period analysis is used when the person committing the fraud scenario works in the accounts payable function.
    7. Illogical order of purchase order and invoice is not typically found because the person wants to maintain a low visibility around their activity.
    8. Speed of payment is an excellent analysis especially if the motive for committing the fraud scenario is associated with a personal vice.
    9. Manual transaction analysis is not critical unless the scheme is being perpetrated by someone in accounts payable.
  8. Data interpretation:
    1. The data interpretation strategy is required when the perpetrator conceals the false billing scheme at a high level.
    2. The fraud auditor needs to make certain assumptions in their analysis that may or may not be supported by an authoritative study. Stated differently, the fraud auditor will make assumptions based on their professional experience.
    3. The first assumption I make is that the vendor's revenue is equal to 5 percent of the aggregate spend level in accounts payable. I use this assumption to interpret whether the patterns in the specific identification and internal control avoidance are consistent with my expectations of a company operating at a certain revenue level.
    4. To provide an easy illustration:
      1. Annual spend level with the vendor is $100,000.
      2. Using the 5 percent, I would project revenue at $2 million.
      3. The number of invoices submitted recorded in accounts payable is eight.
      4. Average invoice amount is $12,500.
      5. The vendor should have issued 160 invoices, assuming the $12,500 is representative of vendor's average invoice amount.
      6. The range of invoice numbers in accounts payable is 125. The first invoice is 1119 and the last invoice number is 1244 for a range of 125 invoices. Therefore, the assumed range of 160 is greater than the range in accounts payable of 125.
      7. Since the range is not consistent with my expectations, the transactional history would suggest the vendor is a false entity.
      8. Reminder: I am also considering attributes identified in the shell company analysis as the basis of the sample selection.
    5. Sample selection in the data interpretation strategy is not for the faint of heart. It requires a high degree of judgment. However, using the fraud data analytics scoring sheet, it is the weight of the attributes versus a specific attribute.
  9. Number anomaly:
    1. In vendor invoice number anomaly we summarize invoices based on the invoice amount. The report has three columns, the invoice amount, the frequency of the amount, and the aggregate amount associated with the invoice amount.
    2. The first test is for round number analysis. The auditor needs to define which round amounts are included in the analysis. Based on the selected round number amounts, the second analysis is the frequency of a vendor number occurring within the round number. Once the low frequency has been excluded, the fraud data analytics should search for a pattern in the invoice number, date, or description.
    3. The recurring number analysis is similar to the even number test, except the first trigger is any invoice amount that occurs more than once. The second test is to identify vendors in the recurring number that have at least five occurrences. Once again, the auditor should look for a pattern in the invoice number, date, or description.

Understanding How Pass‐Through Schemes Operate

Pass‐through schemes provide the illusion of an arm's‐length business transaction with a real company. The goods and services are received, the internal three‐way match is in full compliance, and the internal person has committed the fraud scenario, either alone or in collusion with an external party. To further complicate the matter, the middle company, which is the pass‐through company, is either a shell company or a real company. There are six permutations of the pass‐through entity scheme.

The pass‐through schemes are similar in structure, but very different in the fraud data analytics. The fraud auditor will need to build a separate plan for each version of the pass‐through scheme. The starting point is to understand how the entity structure operates:

  • The shell company pass‐through scheme is composed of three companies. There are two permutations of the shell company pass‐through. The first company is your company, the second company is the shell company, and the third company is a real supplier. The shell company is controlled either by an internal person or by a salesperson at the third company, which is the supplier of the goods. Each version has a similar but different fraud data profile. In the false entity scheme both the entity and transaction analysis maybe effective in locating the shell company (Figure 7.1).
    A diagram for pass-through entity: internal person with three text boxes with bulleted lists titled: Your Company, Shell Company, and Real Supplier from left to right, respectively.

    Figure 7.1 Pass‐Through Entity: Internal Person

  • The real company pass‐through scheme is also composed of three companies. The first company is your company, the second company is a real supplier that is currently providing your company with goods or services, and the third company is also a real supplier and either is or is not currently providing your company with goods or services. There are four versions of the real pass‐through scheme. The first three versions are similar; the fourth version is difficult to detect with fraud data analytics because the scenario occurs through the general contractor versus your internal database (Figure 7.2).
A diagram for pass-through entity: external salesperson with three text boxes with bulleted lists titled: Real Supplier, Shell Company, and Your Company from left to right, respectively.

Figure 7.2 Pass‐Through Entity: External Salesperson

Version One Description

The shell company pass‐through scheme when the internal person creates the shell company.

The first version is when the shell company is created by an internal person. The internal person causes a purchase order to be issued to the shell company. The shell corporation has no assets or employees, so the shell corporation in essence purchases the goods from a real company. The real company ships the goods directly to your company. The real company invoices the shell company and the shell company invoices your company at a markup from the real invoice. Thereby, the scenario complies with the three‐match procedure of a purchase order, invoice, and receipt. The fraud profit for the internal person is the difference between what the real company charges and what the shell company charges your company. The conversion cycle occurs by the internal perpetrator controlling the shell company bank account.

Version Two Description

The shell company pass‐through scheme by the external salesperson from real company.

The second version is when the shell company is created by a salesperson at the real company. In the salesperson version the salesperson pays a bribe to the internal person to purchase from the shell company versus the real supplier. The internal person issues a purchase order to the shell company. The real company ships directly to your company, the real company invoices the shell company, and the shell company invoices your company. The conversion cycle occurs when the salesperson that created the shell company pays a kickback to the internal person.

The fraud data profile for both shell company pass‐through schemes is similar but both schemes have a few unique attributes. Using the pass‐through company invoice, the fraud auditor would interrogate the data as follows:

  1. Invoice amount has the following tendencies:
    1. Unlike the false billing scheme, the invoice amount does not need to stay below a control threshold. The amount of the invoice is based on the internal order versus the false billing perpetrator's desire to remain below a control threshold.
    2. When the pass‐through is created by the internal person, the invoice amount has a higher tendency to be an even amount.
  2. Invoice number has the following tendencies:
    1. Similar to the false billing, the invoice number pattern starts with a low invoice number.
    2. Version one has a sequential pattern of invoice numbers.
    3. Version two has a limited range pattern, or an illogical pattern of invoice numbers. The reason is that the salesperson from the real supplier might be perpetrating the scheme with more than one customer.
    4. When the perpetrator is sophisticated, the perpetrator starts the invoice number with a high invoice number. The audit procedure of comparing the incorporation date to the first invoice date would be the red flag.
  3. Invoice date has the following tendencies:
    1. The invoice date is compared to the purchase order date for speed of processing.
    2. The date is used for speed of payment analysis.
  4. Invoice description has the following tendencies:
    1. Tends to be for supply items versus inventory items.
    2. Equipment rental charges also are related to the pass‐through scheme.
    3. The use of the general ledger account number is useful in identifying invoices that are associated with the pass‐through scheme.
    4. For tangible supply items, the description field should have both an alpha and a numeric description.
    5. The numeric description should be tested for the number of integers in the numeric description. The fraud theory is based on real companies that have product description files. The item sold is assigned either as product number or sku number. Real company product numbers tend to be nine integers or greater. In reality, the number of integers will vary by large or small suppliers. Therefore, when the product number has fewer integers than the normal supplier for your company, the numeric string becomes a useful red flag.
    6. The alpha description follows the same logic as the numeric string. The first test is for invoices having a missing alpha description. The test for the number of alpha positions may also be used but tends to be less effective.
  5. Other tendencies associated with the pass‐through scheme:
    1. The aggregate spend level with the vendor is in the middle third of all vendors.
    2. Unlike the false billing scheme, the number of invoices per year is not a critical item.
    3. Speed of payment is faster than normal customer payment terms. In the early stages of the scheme, speed of payment may mirror a real vendor; however, as the duration of the scheme goes beyond the six‐month period, typically a faster pay pattern will occur.
    4. The purchase order is typically issued before the invoice and is most likely an open purchase order.
    5. The general ledger account tends to be an expense account, although recently reported cases have indicated that companies operating as a manufacturing representative have occurred for inventory items.
    6. The new vendor is a government‐preferred supplier where the original supplier did not have preferred government status.

Version Three Description

A real company operating as a pass‐through scheme

In version three, the middle company is a real company and operates as the pass‐through company. However, the real middle company is not in the business of selling the item that your company requires. The internal person conspires with the real middle company to purchase the real item from another supplier. Since the real middle company does not supply the item, the real middle company must purchase the item from another real company. The shipment of the item to your company typically occurs from second real company. However, the second real company may ship directly to real middle company, and the real middle company would ship to your company. The fraud scheme requires a markup on the price to your company and the middle real company paying the internal person a bribe. The final investigation may determine that the third company was either complicit or not complicit in the scheme.

FDA Plan

There is no entity analysis because the supplier is real.

The fraud data analytics must focus on the line‐item description on the invoice or the purchase order. The analysis is searching for a vendor that the majority of purchases are within a specific expenditure area; therefore the anomaly is line item purchases that are not consistent with the primary expenditure associated with the supplier.

When a company uses a commodity code within its purchasing file, the identification of the anomaly is simple. The fraud data analytics summarizes purchases by vendor by commodity code. Vendors that have only one commodity can be excluded. The fraud auditor then uses data interpretation to review the remaining list for anomalies. If your company does not maintain commodity codes, the use of general ledger account number may provide a similar analysis. The final approach would be a summary by vendor, by line item. The last approach would require the most extensive manual effort by the fraud auditor.

The first audit step should be to review the selected vendor's website to determine if the vendor advertises the anomaly purchase on its website. If the item is not advertised, the fraud auditor has credible evidence to perform an investigation.

Version Four Description

A real company operating as a hidden entity operates as a pass‐through scheme

The scheme operates exactly as version three, except the middle and real company have a common ownership. The entity is referred to as a hidden company, which was discussed in Chapter 6. In this scheme, your company will purchase from both the middle and the real company. The true purpose of the hidden pass‐through is to avoid dollar control levels by splitting the purchase. In this scheme, the internal person may or may not be complicit in the scheme.

FDA Approach

The entity testing relies on the duplicate analysis, which was discussed in Chapter 6.

If the entity testing reveals hidden entities, the first step of the transaction analysis is linking the transactions to the vendor numbers identified in the hidden entity testing. In this way, instead of summarizing all transactions by vendor number, we are able to shrink the population to those transactions that link to the hidden entity number. The transaction analysis searches for duplicate line items between the two companies. If exact matches do not occur on the line item, using a general ledger number may provide a commonality for analysis. If line‐item analysis is not effective, search for duplicate invoice number or invoice date between the two companies. Once the duplicate purchases are identified, summarize the transactions based on dollars and frequency to determine if the combined purchases exceed key control thresholds.

If entity analysis does not reveal hidden entities, then we need to search on all transactions. The first step is finding a common denominator between the transactions. Start with the general ledger code, department code, or cost center. Based on the common denominator match, search for a secondary match for duplicate information between the transactions such as invoice number, invoice date, line‐item description, or purchase order number. The secondary match would be a duplicate test using a duplicate date and common line item between two different vendor numbers or a duplicate invoice number and common line‐item description between two different vendor numbers.

One of the complexities associated with the scenario is how the supplier uses the two companies. In one situation, the second company's sole purpose is to facilitate the structuring of purchases to avoid your company's internal dollar levels. In essence, the second company is similar to a shell company. If this is true, then the fraud data analytics for one of the hidden entities would meet the profile of the false billing shell company.

If the second company is a free‐standing company selling to multiple customers and various product lines, then we will search for duplicate line items between the two vendors and the secondary criterion would be date of purchase. As a practical suggestion, in the data usability analysis determine the quality of the line item descriptions in your files.

Version Five Description

Real business acts like a shell company but operates as a pass‐through scheme

There are a number of businesses that operate as a legal pass‐through company. Examples are manufacturing representatives, product brokers, and minority suppliers or government‐preferred vendors. These types of suppliers are real and provide a necessary service to the business community. Unfortunately, there are suppliers in this category that are legally created, may have an office, but in essence function like a shell company because your company is actually procuring the item, and the real supplier is actually shipping the item to your location. The supplier in the middle simply functions as a legal pass‐through.

FDA Plan

The entity analysis would first focus on those codes that may help identify a government‐preferred supplier. Since the other vendors in this category may be operating from home offices or small offices, the address field may be of use. The fraud data analytics could focus on street addresses or known mailbox service addresses.

The transaction analysis would focus on invoice number and line‐item descriptions. The invoice number pattern would most likely be a sequential pattern or a limited range pattern. The amount of the invoice would not be critical because the supplier was most likely selected on a sole source basis. In my experience, the invoice amount tends to be an even amount.

When the real pass‐through company operates as a shell company, the invoice description tends to be vague or provide limited line‐item descriptions as with a real supplier. The data interrogation should focus on the lack of alpha and numeric in the description. The numeric description may also have limited integers.

Version Six Description

FDA for prime contractor and subcontractor

The internal person directs the prime contractor to select a specific subcontractor and the internal person directs the prime contractor to pay the subcontractor a specific amount. The subcontractor then pays a bribe directly to the internal person. Generally there is no effective fraud data analytics plan to search for version six, unless there is a change order reflecting the subcontractor's identity or a line item on the general contractor's invoice, which provides a subcontractor's name.

Overbilling: The Vendor Alone by Exploiting the Vulnerabilities of the Company's Internal Controls

In this category, the basic assumption is that the internal source is not complicit in the overbilling. However, for whatever reason the internal controls do not prevent or detect the vendor from overbilling your company.

A vendor understands a company's receiving and payment internal controls in some ways better than the company itself. With this knowledge, the vendor exploits the vulnerabilities in the receiving and payment process. Although the illustrations are for tangible goods, the concept is similar for services. Typically the invoices are considered small dollar for the organization. The concept of small dollar is relevant to the organization versus the concept of a small number. The reason for the small‐dollar invoice is the reduced visibility concealment concept, and often the internal controls are less robust for small‐dollar invoices. Due to the volume of transactions in this analysis, filtering of activity is paramount to the success of the analysis. The more common scenarios perpetrated under this category of overbilling are:

  1. Submitting an invoice where the amount or unit price on the invoice exceeds the purchase order. However, the price increase is within the acceptable tolerances that exist in a company's payment system. The fraud data analytics compares invoice amount to purchase order amount searching for invoices that exceed the purchase order amount within tolerances. The analysis may occur on line item or total invoice. The report should provide three columns of data. Each column of data will provide a frequency and aggregate dollar value of the vendor invoices. The first column is frequency and aggregate dollar value of vendor invoices that are equal to or less than the purchase order. The second column is the frequency and aggregate dollar value of invoices exceeding the purchase order within tolerance. The third column is the frequency and aggregate dollar value of vendor invoices exceeding the purchase order tolerance. The first selection process is based on frequency of occurrence of invoices exceeding purchase order within the tolerance and the dollar impact. The second selection is the invoices exceeding the purchase order tolerance level. If internal controls are operating effectively, then invoices exceeding the purchase order should not be paid without a change order, or the overbilling scheme would indicate someone is overriding internal controls, which then indicates collusion between an internal and external party.
  2. Submitting small‐dollar invoices that are fictitious and are matched to an open purchase order. The first step is to identify open purchase orders. The attribute is a purchase order than has more than one invoice. The fraud data analytics summarizes by vendor by purchase order the invoices by small dollar and large dollar. The dollar value is based on what is large and small for your company. The report should provide both the aggregate dollar value and frequency of invoices by the two categories. The sample selection is based on data interpretation focusing on the line item descriptions, which tend to be vague, nondescriptive, or illogical for the noted vendor.
  3. Submitting small‐dollar invoices that are fictitious and do not require a purchase order. The first step is to identify invoices that have no purchase order number. The fraud data analytics summarizes by vendor the invoices by small dollar and large dollar. The dollar value is based on what is large and small for your company. The report should provide both the aggregate dollar value and frequency of invoices by the two categories. The sample selection is based on data interpretation focusing on whether the frequency and aggregate dollar value of the item on the small‐dollar invoice is logical for the vendor and your company. The sample selection is based on data interpretation focusing on the line item descriptions, which tend to be vague, nondescriptive, or illogical for the noted vendor.
  4. In scenarios two and three, the data interpretation is the challenge because of the sheer volume of transactions. The use of inclusion and exclusion theory is important when the analysis has a large number of transactions. So a few thoughts in refining the process:
    1. The starting point is to exclude vendors that have a low number of small‐dollar invoices, based either on frequency or aggregate dollar amount.
    2. Exclude the nuisance vendors from the analysis.
    3. Use the number analysis on the remaining vendors. Exclude large‐dollar invoices because the scenario is searching for a high frequency of small‐dollar invoices. The number anomaly is searching for the vendor submitting small‐dollar invoices of the same amount for goods or services not provided.
    4. Using the description field on the invoice, search for a description that has no numeric integers in the description line. The lack of integers indicates that the line item description was created manually versus from a customer's product database.
  5. Submitting an invoice with a false add‐on charge. The false charge might be either a line item on a real invoice or an invoice with just the false add‐on charge. These charges range from shipping to restock charge. The difficulty is how to search and isolate the add‐on charge. The following techniques have been helpful to identify the scenario:
    1. Start by summarizing the line‐item description field on the vendor invoice and provide the frequency of occurrence of the line‐item description. The report, while voluminous, will identify all line‐item descriptions and variations of spellings in your database. The intent of the report is to act as a reference tool more than a sample selection tool.
    2. Establish a table of common names used to describe an add‐on charge. The previous report is useful in identifying common names for add‐on charges. The fraud data analytics creates a table of common names and performs an alpha string search for the common name in the line‐item description. The report should summarize by vendor number by the common name providing the frequency of the line item and aggregate dollar value of the line items. The last line for each vendor should be all line items not on the table of common names. The sample selection is based on data interpretation focusing on whether the frequency and aggregate dollar value of the add‐on charge are logical for the vendor or whether the add‐on charge itself is logical.
    3. A second approach is to summarize by vendor number, by invoice number identifying the invoices having an add‐on charge, and the invoices that do not have an add‐on charge. The report should provide the frequency and aggregate dollar value of vendor invoices for both the have and have‐not occurrence. The sample selection is based on data interpretation based on the anomaly of why some invoices have an add‐on charge and other invoices do not have an add‐on charge. The nature of the line‐item description will be the first clue.
    4. A third approach is to search the invoice line for add‐on charges through the quantity field on the line item. Line items on a vendor invoice tend to have a quantity of zero, blank, or one in the quantity field. The correct answer for the search depends on how accounts payable records line‐item add‐on charges in the database. The fraud data analytics is to identify by vendor invoice by invoice line all invoices that have blank, zero, or one in the quantity line. The sample selection is based on data interpretation focusing on whether the frequency and aggregate dollar value of the add‐on charge are logical for the vendor.
  6. The quantity on the invoice is greater than the quantity delivered. This scenario typically occurs for tangible goods that no physical inventory exists for the item—that is, supply items. The fraud data analytics should first identify all tangible goods. Using the general ledger codes is an easy but not perfect way to isolate tangible purchases. The analysis will exclude all purchases associated with inventory because the variance between book and count should reveal a theft scheme occurring. The key is to summarize the quantity purchased from the vendor by line item. The sample selection would start with outlier analysis and then switch to data interpretation based on whether the aggregate quantity for line item is logical for your company.
  7. Submitting invoices for items that are not ordered but delivered. The first level of identification is all invoices with no purchase order. The transactions should be summarized by vendor, by line item. Each line item should have the aggregate quantity and aggregate dollar value. The sample selection is based on data interpretation on whether the line item quantity is logical for your company.
  8. Vendor invoices that have one line item and a quantity of one. This may be an indicator that the invoice was entered with the line item being one, the unit price is the total value of the invoice, and the extended total equal to the unit price. This would indicate the invoice was entered in a manner to circumvent the three‐way match. In reality, this might be an indicator of either vendor alone or vendor in collusion. If nothing else, it is indicator that something is wrong with your internal controls.
  9. Submitting real invoice that one or more line item is a false charge. For invoices with purchases orders, the data interrogation should match line item on invoice to line item on the purchase order. The sample selection would be for invoice line items with no corresponding match to the purchase order.

Overbilling: By Submitting Duplicate Invoice via the Vendor Alone or Vendor in Collusion Accounts Payable or by Accounts Payable Alone

The scheme occurs by intentionally submitting an invoice twice for payment of the same goods or services. Duplicate payment test depends on how the vendor or accounts payable clerk is submitting or recording the second invoice. The test examines the invoice number, invoice date, invoice amount, and invoice line‐item description. The test is designed to search for the true duplicate with no concealment or a duplicate invoice that uses concealment by a change in the second invoice: invoice number, invoice date, invoice amount, or line item description. For clarification, the concept of first or second invoice is not intended to describe the order the invoice was submitted but rather, the concept of two vendor invoices for the same goods or services. Also, the discussion will describe duplicate testing when there is no purchase order or an open purchase order. The testing could also be relevant when the purchase order is issued after the receipt of the invoice and the purchase order transaction is created by accounts payable. The fraud auditor will need to understand the fraud opportunity question, person committing, as it relates to their organization to properly address the possible combinations of opportunity.

  1. The first test should be to search for invoices with an exact match on a duplicate invoice number, duplicate date, and duplicate amount. The test could also focus on duplicate invoice number, date, and amount alone. The analysis could also focus on one data element (e.g., duplicate date); unfortunately, this approach requires the fraud auditor to use data interpretation searching for the duplicate pattern versus specific identification. Remember, always perform the easiest test first and then perform tests in the order of difficulty.
  2. Hidden duplicate invoice number occurs when the invoice number on the second invoice, the duplicate invoice, is changed to avoid the internal edit for duplicate invoice number. The typical variations are where a letter, special symbol, or a numeric digit is added or subtracted from the second invoice to avoid the duplicate test or second invoice number has a transposition in the invoice number. In the hidden duplicate invoice number test, the data interrogation plan will need to create a virtual invoice number field and strip out the alpha, special symbol on the beginning or end of the string or embedded somewhere in the invoice string. The report should place the virtual invoice number and the actual invoice number next to each other for easy visual comparison.
    1. If the alpha or special symbol technique is added to the second invoice, the duplicate test on the virtual invoice number should find the duplicate invoice number.
    2. If an extra numeric digit is added, there should be a significant gap between the last and first invoice number. The report should calculate an invoice number range and a date range. Unfortunately, this report may produce a high number of false positives due to data integrity issues.
    3. If an extra digit is added or subtracted from the second invoice number, the anomaly would be the number of digits in the invoice number by vendor number. By vendor number, create a frequency analysis of the number of integers in the invoice number. The report is searching for a vendor that has multiple lines of frequency by integer (e.g., five integers, six integers).
    4. If the approach is a transposition of integers within the invoice number, then there should be an anomaly between the invoice number sequence pattern and the sequence of invoice dates. Assuming the vendor follows an ascending pattern of invoice numbers the dates should also follow an ascending pattern. The report is searching for vendors with invoice numbers and invoice dates that do not follow a logical ascending pattern.
  3. Different vendor invoice number with a duplicate date or duplicate line item or duplicate amount or any combination of the three other items. The first problem with the test is described earlier in this chapter as the nuisance vendor. These vendors by their nature submit multiple invoices per day for the same type of service or goods. The different invoice number duplicate payment analysis should create two groups of vendors for the test: the list of nuisance vendors and the list of non‐nuisance vendors. Data interpretation by the fraud auditor will be required for both data sets.
  4. Different invoice number, date, and amount. The second invoice contains an additional charge (add‐on charge) that provides the illusion of two different invoices. See the previous section regarding vendor alone exploiting the vulnerabilities of internal controls for discussion of add‐on charges.
  5. The accounts payable function may be in collusion with a vendor and the accounts payable function is intentionally paying a vendor invoice twice. The accounts payable function is receiving a kickback from the vendor. The data pattern is a high frequency of duplicate payments to one vendor.
  6. In smaller accounting organizations, the accounts payable clerk can commit the duplicate payment scheme alone by intentionally paying a vendor invoice twice. The accounts payable clerk then contacts the vendor, indicating the invoice was paid twice in error. When the vendor remits the refund for the duplicate payment, the accounts payable clerk diverts the refund to a bank account that the accounts payable clerk controls. The data pattern is a regular frequency of duplicate payments to different vendors.

Overbilling: Understanding the Fraud Risk Structure When Collusion Occurs between the Vendor and the Internal Person without the Involvement of the Procurement Process

The concept is simple: The vendor operating in collusion with a budget owner or senior manager overcharges your company. Overcharging that occurs through the procurement function is discussed in Chapter 9. In this chapter, overcharging does not involve the procurement function but is linked to the approval process, receipt process, or payment process. Collusion is the key word in this scheme. The internal person is a control owner. The variables in overcharging are the expenditure category, the industry, responsibilities of the control owner participating in the scheme, and where the scheme occurs in the expenditure cycle. It would be impossible for anyone to describe all the overcharging permutations by industry, so this book will focus on the methodology and allow the fraud auditor to adapt the methodology to the industry and expenditure category.

The first step is to understand the inherent scheme structure of how overbilling occurs:

  1. Overcharging on unit price occurs through a change in price after procurement, or the unit price is inflated. If inflated, the approach is to use either trend analysis, outlier analysis, or benchmarking a vendor unit price to another source.
  2. Charging for a higher quantity than delivered—the methodology should differentiate between inventory items and supply items. Inventory items should eventually reflect a variance or excessive adjustments, whereas non‐inventory items will use outlier analysis by identifying a quantity that exceeds business use.
  3. False charges on real invoices simply stated—either the service was not performed or the tangible item was not received.
  4. Intentional duplicate items on real invoices—the test focuses on duplicate description field. For tangible good expenditures, obviously this will create an extensive list of false positives. For services, the test may not be as effective because of the nature of service descriptions on invoices.
  5. Intentional duplicate payment of an invoice—the fraud data methodology will focus on duplicate date, invoice number, or amount for exact matches.
  6. False add‐on charges will vary by services and tangible goods. The fraud data analytics searching for falsely added charges should have two homogeneous data sets: service expenditure and tangible good expenditures. For service, using keyword searches that relate to the service will prove effective. For tangible goods, search line items that have no quantity or a line‐item description that does not have a numeric string.
  7. Charging for a higher quality than delivered (product substitution). The nature of product substitution does no lend itself to fraud data analytics because the fraud is in the tangible item versus the data. However a line item description that does not provide standard industry information may be a red flag.
  8. Charging for goods/services that are not needed by the company. In this scheme the goods and services are received. The nature of the scheme does not lend itself to fraud data analytics. Outlier analysis may help, but without an allegation, finding a starting point is difficult.

Fraud data analytic routines need to be designed around the opportunity to commit the scheme and the method of overbilling. The fraud data analysis starts by creating homogeneous data files based on the opportunity to commit the scheme, then the search for the overbilling techniques. The analysis typically requires creating multilayers of files to identify the specific fraud scenario. The reason for the opportunity analysis is to establish the intent factor through frequency analysis. The technique analysis is to identify the method of overbilling. In this book, we will discuss opportunity analysis from three perspectives:

  1. False administration of the properly issued purchase order. The starting point is the change order.
  2. Budget owners circumventing purchasing but providing the illusion of compliance. The starting point is to identify all invoices with no purchase order, open purchase orders, small‐dollar invoices, and invoice splitting.
  3. Budget owner that purchases directly from the supplier by design of purchasing policies. The starting point is invoices with no purchase order or the purchase order is issued after receipt of the invoice.

Once the opportunity homogeneous data files are created, the second step of the analysis is to search for the various overbilling techniques. Based on my experience, the fraud auditor should start with an inflated unit price, false add‐on charges, and excessive item purchases scheme.

To avoid confusion, within the context of this chapter, the term purchase order includes either a purchase order or a contract. In regard to bidding procedure, the approach described will not distinguish between oral quotes, written quotes, or sealed bid procedures.

The basic assumption in this overbilling category is that procurement controlled the acquisition and the procurement function is not involved in the scheme. A purchase order is issued and the overbilling occurs through falsely approving changes to the purchase order, overriding the purchase order with invoice approvals, or the budget owner provides advance communication of a future change of the purchase mix and no change to the purchase order.

The overbilling in this scheme occurs after procurement through the false administration of the purchase order. So, do not be fooled by the evidence of written bids, written quotes, purchase orders, and contracts. The bidding process provides the illusion of sound internal controls, which effectively conceals the budget owner's intent to corrupt the procurement process.

The good news is that overbilling after procurement leaves an audit trail of change. Now the bad news: Since most vendors on your master file are real vendors, the sheer volume of data is a general concealment condition. Furthermore, changes to purchase orders are common, and changes to projected needs do occur. Whatever the reason, the key word is change.

The change fraud data analytics methodology in the false administration scenario is the search for change through the purchase order file or through the invoice file. This is not a matter of style but the search for different types of changes.

Identify Purchase Orders with Changes

The change fraud data analytics strategy based on the purchase order file searches for the changes to the unit price, quantity, and dollar value of the purchase order. The goal is to identify a high frequency of change by vendor or department or changes that have a material impact on the dollar value.

The first step is to create two homogeneous data files: purchase orders with changes and purchase orders without changes. First, summarize the two files by vendor number, providing frequency, aggregate dollar value, maximum, minimum, and average. The first report is intended to provide gross statistical information. The second report would summarize by vendor number, providing frequency and aggregate dollar value of purchase orders with changes and without changes. The second report is to identify vendors with a higher frequency of purchase order changes.

The purchase order change report should also summarize by the person committing the scenario. The person committing the fraud scenario could be a buyer, department, or any other meaningful business grouping. The purpose of the summary report by person committing the scenario is to link the purchase order changes to a person.

Now that the planning reports are complete (remember the understand data step) the next step is to interrogate the data.

FDA: Changes to the Purchase Order

The types of purchase order changes that typically occur are

  • Change to the original purchase order as to price, quantity, or specific line items.
  • Purchase order extension.
  • Add‐on purchase order.
  • Changes to the quantity received or changes to the product description.
  • Changes to the mix of items procured.
  • Increase in the total dollar amount of the purchase order.

Specific identification strategy is initially used to create homogeneous data sets. In this scenario category purchase orders with no change would be excluded from the fraud data analysis because change is the key criterion. So, the first homogeneous data file is purchase orders with changes. In the second step, the purchase order should be disaggregated into two separate files, purchase orders with one invoice and purchase orders with multiple invoices. The reason for two files is because the change between one purchase order and one invoice is simply easier to see than when there are multiple invoices.

Using the purchase order change files, the fraud data analytics should search for the type of change, or change by buyer, or by general ledger category. The goal of the analysis is to identify a pattern and frequency of change that correlates to an internal person or a vendor.

As a reminder, our goal is to shrink the haystack in order that an anomaly becomes more visible to the naked eye. At this point, the fraud auditor could filter out the changes with an immaterial dollar change and use a sample selection methodology to select purchase orders within the change category, or the fraud auditor could continue with their fraud data analysis.

False Administration through the Invoice File

The change fraud data analytics strategy based on the invoice file is to summarize actual purchases described on the vendor invoice by line item and prepare the same summary for the purchase order. Then the next step is to search for change between vendor invoice summary of actual purchases to the line items on the original purchase order. The goal is to identify changes on a line item between the invoice summary and purchase order summary. There are two outcomes. The first outcome is a change to the total purchase order amount and a change to the mix. The second outcome is no change to the purchase order total amount but a change in the mix of the items purchased. The change in the mix provides the vendor with more favorable margins. In both approaches, the goal is to recreate the purchase selection process by comparing actual purchases to each vendor's bidding information to determine if the lowest‐cost vendor was in fact selected or if the change allowed the vendor to commit an overbilling scheme.

By purchase order number, summarize the vendor invoices by line item that links to each purchase order. Then summarize the purchase orders by line item. Compare the invoice summary to the purchase order summary and search for change on the line item. The goal is to identify changes in the mix of the actual items purchased to the mix of items on the original purchase order. The purchase orders with no change to the mix should be excluded from the fraud data analytics in this scheme. Now the fraud auditor has created a homogeneous file of changes.

FDA: Change through the Invoice File

Using the purchase order change file, link the invoices to the purchase orders that had the change criteria. The analysis follows the retrospective analysis introduced in the auditing standards.

The fraud data analysis in the invoice file is searching for a change in the mix of items purchased from the vendor. The change in mix is purchasing different quantities of items, different quality, or different items than described on the original purchase order. The change in mix can occur through one vendor in collusion with the budget owner or two vendors operating in collusion without the budget owner. Start with the budget owner permutation and one vendor.

The change in mix is the first indicator of a vendor and internal person operating in collusion. The fraud data analysis by itself will identify the change in the mix; it is the fraud auditor's job to determine if the change occurred through normal business evolution or the change occurred through intent to commit the scheme.

Change in the mix can also occur between two vendors. When you place an order for the item, the vendor indicates that it is out of stock for the item. Since the item is time critical, you purchase the item from the next‐lowest‐cost vendor in the bid file. The goal of the vendors is to sell only those items with the highest margins. In the procurement chapter, this scheme would be referred to as vendor bid rigging.

A good red flag of the two vendors operating in collusion is searching for a zero quantity purchase of a line item on a purchase order. In this scheme the vendor awarded the purchase order avoids selling those items with low margins and the vendor not awarded the purchase order fulfills your needs of the zero purchase line item selling the item at a high price.

The specific identification strategy using the invoice file would identify purchase orders by vendor that have a zero quantity of a purchase line item. The zero quantity item purchase order lines become a homogeneous data file. The next step is to determine if the zero purchase line item was procured from a different vendor. Using the line item, perform a duplicate test for duplicate line items but different vendor number. If the zero line item file is small, use the general ledger account as a common dominator for linking purposes, and perform the old hunt‐and‐peck approach.

The fraud auditor then must examine the facts and circumstances of the zero purchase line‐item schemes. Caution: The obvious criterion is a significant unit price difference between the two vendors. However, it is possible that both bid prices were inflated; therefore, no significant unit process changes are evident.

Overbilling: When the Budget Owner or Senior Manager Operates in Collusion with the Vendor to Avoid Bidding Levels but Complies with Purchasing Procedures

In the circumvent scheme, the budget owner circumvents the procurement function by creating requisitions below the bidding level and recommending a preferred vendor, or the budget owner purchases directly from the vendor through small‐dollar purchases; however, the purchases in the aggregate would require bidding procedures. The key word is circumvention through compliance with purchasing procedures.

The circumvention fraud data analytics strategy is based on small‐dollar purchase orders, small‐dollar invoices, and split invoices. The circumvention is how the internal source avoids the intent of procurement controls and provides the illusion of full compliance with procurement. A second avoidance strategy is the time extension of the purchase order, which effectively allows for avoidance of the procurement procedures. Circumvention can also occur when a real supplier operates under multiple names.

FDA: Circumvention through Small‐Dollar Purchases

Specific identification strategy is used to create the file of vendors or buyers that meet the criteria of the scheme. The data interpretation strategy is used to identify the circumvention of the procurement process through small‐dollar transactions. The pattern was established through the specific identification strategy. The frequency of occurrence or the dollar magnitude of the small‐dollar transaction will be the basis of the data interpretation. The linkage factor starts with a vendor number and then on the line item, project number, department number, general ledger code associated with the purchase order, and the small‐dollar invoices.

The first step is to create two homogeneous data files based on bidding levels. The first file is all purchase orders below the bid level and the second file is all purchase orders above the bid level. If invoices are processed without purchase orders, then the same process would need to occur. The purchase orders and invoices above the bidding level are excluded from the next analysis.

Starting with the small‐dollar purchase orders, summarize the small‐dollar purchase orders by vendor, providing the frequency and aggregate dollar value of purchase orders. By vendor number, summarize the frequency and dollar value of small‐dollar invoices with no purchase order. Then create one report with three columns of data: small‐dollar purchase orders, invoices with no purchase order, and the aggregate of the two columns. Filtering of small‐dollar activity is critical because of the abstract nature of the data interpretation in the next phase. The fraud data analysis reports by their nature might be voluminous, which makes data filtering critical.

The concept of testing for splitting invoices is searching for split invoices by vendor number using the exact match in the duplicate test using invoice date and/or line items on invoices. These concepts were already discussed in the book.

Overbilling When the Vendor Is in Collusion with an Internal Source (Budget Owner) and the Internal Source Negotiates the Purchase and Administers the Contract, Effectively Bypassing Procurement

In this scenario, the entity is real, the fraud profit is embedded in the invoice or purchase order, and no change is required to the documents. Therefore, the red flags are not visible in one transaction but would be visible over a period of time. A caveat: If the fraud auditor has superior knowledge about a specific purchase, the fraud auditor would be able to see the anomaly in a transaction. In a classroom setting, using one invoice from an equipment rental fraud scheme, a gentleman with 25‐plus years in the equipment rental business was able to see the fraud in two seconds. For the fraud auditor without superior knowledge, fraud data analytics is the methodology for identifying overbilling.

Fraud data analytics is a multi‐tiered approach, starting with internal control circumvention, use of change analysis followed by specific identification, and then the use of data interpretation through the use of change, trend analysis, or benchmarking to similar purchases. The fraud auditor will need to make a few assumptions in the analysis based on fundamental fraud theory. For example, the greed factor will cause the perpetrators to want more money. The fraud will continue until some event stops the fraud. The supplier and internal person are friends.

The first step in the circumvention strategy is to identify purchase orders that avoided procurement. By avoiding procurement, it means that no meaningful procurement procedures were performed on the selection of the vendor. The mere fact that a purchase order is issued does not indicate that meaningful procurement procedures were performed. The problem becomes how to identify such acquisitions. In this analysis, the fraud data analytics plan will need to make assumptions regarding how to identify circumvention. So, any invoice issued on the same day as the purchase order, or the purchase order is issued after the invoice date, becomes the first homogeneous data file. Therefore, all invoices where the purchase order is issued first are excluded from the analysis. The assumption in this decision is that procurement selected the vendor versus a budget owner.

In those companies that have bid codes in their procurement systems, the fraud data analysis would start by identifying which purchase orders were issued with a code, which indicates the purchase order was issued without a bidding process (e.g., sole source selection). Unfortunately, most companies do not have such a code. Therefore, your first internal control recommendation is for your company to require that a bid code become part of your data files.

The next step is to filter out what I have referred to as distraction vendors. To illustrate, payments to utilities, office rental, and mail delivery services usually match the data selection assumption. Since these vendors are not what the fraud data analysis is searching for, the vendors should be excluded from further analysis.

The next step is to summarize the purchases that circumvented purchasing by person, department, or line item of purchase, searching for the following change patterns:

  • Change of internal person and change to vendor for a specific line item.
  • Change of vendor for the specific line item and no change to the internal person.
  • No change of internal person and no change to vendor.

Searching for change in vendors in large companies sounds good, but in reality is very difficult. The use of general ledger categories can facilitate the process because the general ledger category does create a common denominator of like purchases.

A second approach to search for vendor changes is to summarize by line item, sort the line items in date order, then by vendor number. The first record and last record analysis in the software is a great tool for this analysis. The process is searching for a change in vendor on a line‐item basis. Data filtering should be considered after the data summarization.

Using the change analysis, we now have two homogeneous data files: purchase orders with a change to supplier or internal person and purchase orders with no change to supplier or internal person.

The next step for both files is specification identification using a form of trend analysis by searching for increases in price or quantity of a line item over a period of time.

Using the exclusion theory, exclude from your analysis all line items that had no change in price or quantity consistent with your fraud theory. The next step is to determine the size of the resulting file. If the resulting files are large, data filtering based on the dollar size of the line item may be an effective technique to further reduce the size of the file.

Searching the Opportunity Files for Specific Overbilling Techniques

The sample selection is based on data interpretation strategy based on the aggregate dollar value and the increase in unit price. A similar process is followed for add‐on charges and excessive purchases. Fraud data analytics for add‐on charges are discussed in the vendor alone section of the chapter. The excessive purchase scheme uses the quantity field and summarizes by line item. To be clear, this analysis is not easy; it is time consuming and requires patience. If the analysis results from an allegation, the process is easier because the analysis has a starting point as to vendor or internal person.

Disguised Expenditures: Internal Person Purchases the Goods with the Intent of Committing a Theft Scheme

In this scenario, the internal person purchases items with the intent to commit a theft scheme for the purpose of selling the item. In some ways, this is one of the most difficult fraud scenarios to detect, because where does the fraud auditor start? The auditor's experience and knowledge of the company is paramount to selecting the starting point. It becomes an educated guess.

The good news about the scenario is that the frequency of purchase and aggregate dollar value are the best clues. If the item is inventory based, variances or write‐offs may provide a clue. Maybe the frequency and aggregate can be linked to a person.

Data interpretation is the best strategy for this fraud scenario. The fraud data analytics will start with the data summarization by expenditures, followed by the use of outlier analysis. The first summary is all about creating homogeneous data sets. The second summary is all about data interpretation. The sample selection is based on the fraud auditor's knowledge of the business. The fraud auditor is encouraged to select a department, expenditure area, a specific item to summarize. Trying to summarize all company data for this fraud scenario is too overwhelming. There are three overall strategies for data summarization:

  1. Identify tangible items in which the consumption exceeds company requirements.
  2. Identify tangibles items that have an easy resell value.
  3. Identify assets recorded in the balance sheet—inventory or equipment that have known shortages—or focus on asset write‐off schemes.

The fraud data analytics should summarize purchases by a category by specific line items in the category. The analysis should focus on aggregate quantity of the specific item and aggregate dollar value of the purchase. The use of disaggregated analysis is critical to identify items that fit the theft pattern versus normal internal consumption. The sample selection is based on the quantity of the item purchased consistent with company needs.

For recorded assets, the data summarization should focus on the frequency and aggregate value of the write‐off. Hopefully, the fraud data analysis can link the write‐off to a person.

Service expenditures do not fit the concept of theft; however, services paid by the company that inure to the benefit of a company employee would fit the parameter of theft. The fraud auditor should consider expenditures that would have a personal benefit.

In one project, a factory supply manager was purchasing all supply items from one supplier. Closer examination of all the supply purchases revealed a high quantity of ladders. The supply manager was selling the ladders. To further illustrate expenditure areas involving theft‐for‐resale schemes based on my experience: copy paper, copper cabling, IT supplies, and small tools.

Personal Expenses: Paying for Personal Expenses That Inure to the Benefit of the Internal Person

The first place to look for this scenario is in the procurement card purchases. Chapter 10 will cover these expenditures. The difficulty associated with the personal expense analysis is that by the nature of the scenario, the expenditure is typically small dollar and low frequency.

The targeted expenditure approach is effective for finding personal expense scenarios. One approach is to subjectively identify departments that by the nature of the department purchase items in the normal course of the business that would also have a personal nature to the expense. To illustrate the concept, think about the types of items purchased by IT or marketing.

Conflict‐of‐Interest Entities

Conflict of interest is the process of paying for goods or services that are received from the vendor but an internal employee has an undisclosed ownership in the vendor. In Chapter 6, we discussed that conflict‐of‐interest entity has either one customer or multiple customers. The transactional analysis will vary based on the number of actual customers that the conflict‐of‐interest entity serves.

The transactional profile of a conflict‐of‐interest entity with one customer is similar to the transactional profile of a false billing shell company. When the conflict‐of‐interest entity has a few customers, the transactional profile is similar to the pass‐through scheme operated by the salesperson. When the conflict of interest has many customers, the fraud data analytics would follow the overbilling scenario.

Summary

Searching for fraud in the disbursement cycle is like fishing for trout in a fully stocked pond. It is only a matter of time before you catch a trout. The analogy is the same for performing fraud analytics in the payment cycle. It is only a matter of time before you find fraud.

There are more than 50 common fraud scenarios in the disbursement cycle. When considering company‐specific, internal control inhibitors, expenditure, or industry‐specific, the numbers of fraud scenarios become staggering. However, by understanding the power of the fraud scenario methodology, the search for fraud in the trout pond becomes easier.

If there is a limited time budget, what are the three fraud data analytics tests the fraud auditor should perform, and why should the fraud auditor perform the analysis?

  1. Shell company analysis, because once the supplier is identified as a shell company, the fraud auditor has found either a false billing scheme or a pass‐through scheme.
  2. Vendor invoice number analysis, because a sequential pattern or a low invoice number is easy to identify. The sequential pattern is an indicator that the vendor has one customer. Why does the supplier have only one customer?
  3. The number anomaly test searching for round numbers or recurring numbers, because the test is easy and has produced results.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset