For the perpetrator, fraud in the disbursement cycle is like a child in a candy store. The child has a favorite candy, and the child seldom takes one piece of candy. For fraud data analytics, the favorite candy is the fraud scenario, and frequency analysis is the amount of candy. Just like the candy store, the choice of candy is limited to the candy in the store; for the perpetrator, the number of fraud scenarios is limited to the number of fraud scenarios in the fraud risk structure that links to the perpetrator.
The inherent scheme fraud theory states that the number of inherent schemes and scenarios are finite and predictable. The fraud auditor will need to convert the generic inherent scheme to a company‐specific fraud scenario, and if a targeted expenditure audit, to the language of the expenditure area.
The inherent scheme comprises an entity structure that is a supplier and a fraudulent action. The following fraudulent actions comprise the list of inherent disbursement schemes. To create the fraud scenario, the fraud auditor will need to link the person committing the scheme and the entity structure to the action statement. The auditor should write the scenario statement consistent with the approach described in Chapter 2.
The easiest way to explain the process of converting the inherent scheme to a fraud scenario for a targeted expenditure is to illustrate the concept. For purposes of illustration, we will assume internal collusion with an internal budget owner, the expenditure area is professional consultant fees, and the consultant is a real supplier that is overbilling on the contract:
The expenditure cycle comprises a purchase requisition, purchase order, vendor invoice, receiving document, and the payment, which can occur through a paper check or electronic transfer. The understanding of the information on these documents becomes the basis of fraud data analytics for the fraud action. Consistent with Chapter 3, the documents all have a control number, a control date, an amount, a line item description, and are recorded to a general ledger account.
As part of the planning process, the fraud auditor should understand when the document is issued, by what function, and the true internal control effectiveness. Issuing purchase orders after receiving the vendor invoice implies that the purchasing function was circumvented; therefore, the internal control effectiveness is reduced to a low level. If separation of duty concepts is not enforced, then control effectiveness must be considered low. The use of internal control avoidance testing can provide a good barometer as to the true internal control effectiveness.
The requisition might be initiated through a document or through an automated reorder process. The requisition is more critical in the search for procurement fraud scenarios versus payment fraud scenarios.
The purchase order is intended to create a contract between the vendor and your company. The placement of the purchase order is what causes the vendor to supply the goods or services. It is important to understand when purchase orders are issued within your company. Is the purchase order created before the vendor invoice, is the purchase order issued after the invoice, or is no purchase order issued? The use of disaggregated analysis on when the purchase order was issued may provide a clue to fraud opportunity.
The receiving document is created upon the receipt of the tangible goods to signify both the quantity and quality of the goods are consistent with the description on the purchase order. It is important to understand what tangible goods are received through the receiving function and what tangible goods bypass the receiving function.
The proverbial three matches occur when the vendor invoice matches the purchase order and the receiving document. This process initiates the payment to the supplier.
The payment occurs through a paper check or through an electronic payment. It is important to understand what causes a payment to occur. Is it through a three match or through an internal approval signature? If the payment occurs through electronic payment, then we know what bank account received the funds. If the payment occurs through a paper check, then all we know in data analytics is the payee listed on the check.
Fraud data analytics for the fraud action statement is the process of examining the purchase order, the vendor invoice, the receiving document, the payment, and the general ledger account for red flags consistent with the specific fraud scenario. The fraud auditor has two approaches: the compliance approach or the fraud scenario approach.
The first approach assumes the auditor is performing a compliance‐based audit. In the compliance approach, the auditor searches for noncompliance with a procedure. Then the auditor searches for a pattern or frequency of noncompliance associated with a person or entity. In the compliance approach, the auditor must link the noncompliance to a fraud scenario either through additional fraud data analytics or through audit testing procedures. In the compliance audit the fraud data analytics is based on the internal control avoidance strategy.
The second approach is based on the fraud scenario approach, which is the basis of this book. In this approach, we build fraud data profile of the fraud action using the control number, date, amount, and description on the purchase order, vendor invoice, payment, and the general ledger account. In the scenario approach, the fraud data analytics strategies of specific identification, internal control avoidance, data interpretation, and number anomaly are the basis of the fraud data analytics approach.
The first step is to gather data to identify homogeneous data sets within the expenditure data file. The second step is to use disaggregated analysis to further shrink the homogeneous data set based on specific fraud scenarios. The homogeneous data sets are created based on the scope of the audit. A few illustrations are:
The inherent scheme structure has two components for fraud data analytics plan. The shell company is discussed in Chapter 6. The fraud data profile for the false billing action statement can be characterized by these nine tendencies:
Pass‐through schemes provide the illusion of an arm's‐length business transaction with a real company. The goods and services are received, the internal three‐way match is in full compliance, and the internal person has committed the fraud scenario, either alone or in collusion with an external party. To further complicate the matter, the middle company, which is the pass‐through company, is either a shell company or a real company. There are six permutations of the pass‐through entity scheme.
The pass‐through schemes are similar in structure, but very different in the fraud data analytics. The fraud auditor will need to build a separate plan for each version of the pass‐through scheme. The starting point is to understand how the entity structure operates:
The shell company pass‐through scheme when the internal person creates the shell company.
The first version is when the shell company is created by an internal person. The internal person causes a purchase order to be issued to the shell company. The shell corporation has no assets or employees, so the shell corporation in essence purchases the goods from a real company. The real company ships the goods directly to your company. The real company invoices the shell company and the shell company invoices your company at a markup from the real invoice. Thereby, the scenario complies with the three‐match procedure of a purchase order, invoice, and receipt. The fraud profit for the internal person is the difference between what the real company charges and what the shell company charges your company. The conversion cycle occurs by the internal perpetrator controlling the shell company bank account.
The shell company pass‐through scheme by the external salesperson from real company.
The second version is when the shell company is created by a salesperson at the real company. In the salesperson version the salesperson pays a bribe to the internal person to purchase from the shell company versus the real supplier. The internal person issues a purchase order to the shell company. The real company ships directly to your company, the real company invoices the shell company, and the shell company invoices your company. The conversion cycle occurs when the salesperson that created the shell company pays a kickback to the internal person.
The fraud data profile for both shell company pass‐through schemes is similar but both schemes have a few unique attributes. Using the pass‐through company invoice, the fraud auditor would interrogate the data as follows:
A real company operating as a pass‐through scheme
In version three, the middle company is a real company and operates as the pass‐through company. However, the real middle company is not in the business of selling the item that your company requires. The internal person conspires with the real middle company to purchase the real item from another supplier. Since the real middle company does not supply the item, the real middle company must purchase the item from another real company. The shipment of the item to your company typically occurs from second real company. However, the second real company may ship directly to real middle company, and the real middle company would ship to your company. The fraud scheme requires a markup on the price to your company and the middle real company paying the internal person a bribe. The final investigation may determine that the third company was either complicit or not complicit in the scheme.
There is no entity analysis because the supplier is real.
The fraud data analytics must focus on the line‐item description on the invoice or the purchase order. The analysis is searching for a vendor that the majority of purchases are within a specific expenditure area; therefore the anomaly is line item purchases that are not consistent with the primary expenditure associated with the supplier.
When a company uses a commodity code within its purchasing file, the identification of the anomaly is simple. The fraud data analytics summarizes purchases by vendor by commodity code. Vendors that have only one commodity can be excluded. The fraud auditor then uses data interpretation to review the remaining list for anomalies. If your company does not maintain commodity codes, the use of general ledger account number may provide a similar analysis. The final approach would be a summary by vendor, by line item. The last approach would require the most extensive manual effort by the fraud auditor.
The first audit step should be to review the selected vendor's website to determine if the vendor advertises the anomaly purchase on its website. If the item is not advertised, the fraud auditor has credible evidence to perform an investigation.
A real company operating as a hidden entity operates as a pass‐through scheme
The scheme operates exactly as version three, except the middle and real company have a common ownership. The entity is referred to as a hidden company, which was discussed in Chapter 6. In this scheme, your company will purchase from both the middle and the real company. The true purpose of the hidden pass‐through is to avoid dollar control levels by splitting the purchase. In this scheme, the internal person may or may not be complicit in the scheme.
The entity testing relies on the duplicate analysis, which was discussed in Chapter 6.
If the entity testing reveals hidden entities, the first step of the transaction analysis is linking the transactions to the vendor numbers identified in the hidden entity testing. In this way, instead of summarizing all transactions by vendor number, we are able to shrink the population to those transactions that link to the hidden entity number. The transaction analysis searches for duplicate line items between the two companies. If exact matches do not occur on the line item, using a general ledger number may provide a commonality for analysis. If line‐item analysis is not effective, search for duplicate invoice number or invoice date between the two companies. Once the duplicate purchases are identified, summarize the transactions based on dollars and frequency to determine if the combined purchases exceed key control thresholds.
If entity analysis does not reveal hidden entities, then we need to search on all transactions. The first step is finding a common denominator between the transactions. Start with the general ledger code, department code, or cost center. Based on the common denominator match, search for a secondary match for duplicate information between the transactions such as invoice number, invoice date, line‐item description, or purchase order number. The secondary match would be a duplicate test using a duplicate date and common line item between two different vendor numbers or a duplicate invoice number and common line‐item description between two different vendor numbers.
One of the complexities associated with the scenario is how the supplier uses the two companies. In one situation, the second company's sole purpose is to facilitate the structuring of purchases to avoid your company's internal dollar levels. In essence, the second company is similar to a shell company. If this is true, then the fraud data analytics for one of the hidden entities would meet the profile of the false billing shell company.
If the second company is a free‐standing company selling to multiple customers and various product lines, then we will search for duplicate line items between the two vendors and the secondary criterion would be date of purchase. As a practical suggestion, in the data usability analysis determine the quality of the line item descriptions in your files.
Real business acts like a shell company but operates as a pass‐through scheme
There are a number of businesses that operate as a legal pass‐through company. Examples are manufacturing representatives, product brokers, and minority suppliers or government‐preferred vendors. These types of suppliers are real and provide a necessary service to the business community. Unfortunately, there are suppliers in this category that are legally created, may have an office, but in essence function like a shell company because your company is actually procuring the item, and the real supplier is actually shipping the item to your location. The supplier in the middle simply functions as a legal pass‐through.
The entity analysis would first focus on those codes that may help identify a government‐preferred supplier. Since the other vendors in this category may be operating from home offices or small offices, the address field may be of use. The fraud data analytics could focus on street addresses or known mailbox service addresses.
The transaction analysis would focus on invoice number and line‐item descriptions. The invoice number pattern would most likely be a sequential pattern or a limited range pattern. The amount of the invoice would not be critical because the supplier was most likely selected on a sole source basis. In my experience, the invoice amount tends to be an even amount.
When the real pass‐through company operates as a shell company, the invoice description tends to be vague or provide limited line‐item descriptions as with a real supplier. The data interrogation should focus on the lack of alpha and numeric in the description. The numeric description may also have limited integers.
FDA for prime contractor and subcontractor
The internal person directs the prime contractor to select a specific subcontractor and the internal person directs the prime contractor to pay the subcontractor a specific amount. The subcontractor then pays a bribe directly to the internal person. Generally there is no effective fraud data analytics plan to search for version six, unless there is a change order reflecting the subcontractor's identity or a line item on the general contractor's invoice, which provides a subcontractor's name.
In this category, the basic assumption is that the internal source is not complicit in the overbilling. However, for whatever reason the internal controls do not prevent or detect the vendor from overbilling your company.
A vendor understands a company's receiving and payment internal controls in some ways better than the company itself. With this knowledge, the vendor exploits the vulnerabilities in the receiving and payment process. Although the illustrations are for tangible goods, the concept is similar for services. Typically the invoices are considered small dollar for the organization. The concept of small dollar is relevant to the organization versus the concept of a small number. The reason for the small‐dollar invoice is the reduced visibility concealment concept, and often the internal controls are less robust for small‐dollar invoices. Due to the volume of transactions in this analysis, filtering of activity is paramount to the success of the analysis. The more common scenarios perpetrated under this category of overbilling are:
The scheme occurs by intentionally submitting an invoice twice for payment of the same goods or services. Duplicate payment test depends on how the vendor or accounts payable clerk is submitting or recording the second invoice. The test examines the invoice number, invoice date, invoice amount, and invoice line‐item description. The test is designed to search for the true duplicate with no concealment or a duplicate invoice that uses concealment by a change in the second invoice: invoice number, invoice date, invoice amount, or line item description. For clarification, the concept of first or second invoice is not intended to describe the order the invoice was submitted but rather, the concept of two vendor invoices for the same goods or services. Also, the discussion will describe duplicate testing when there is no purchase order or an open purchase order. The testing could also be relevant when the purchase order is issued after the receipt of the invoice and the purchase order transaction is created by accounts payable. The fraud auditor will need to understand the fraud opportunity question, person committing, as it relates to their organization to properly address the possible combinations of opportunity.
The concept is simple: The vendor operating in collusion with a budget owner or senior manager overcharges your company. Overcharging that occurs through the procurement function is discussed in Chapter 9. In this chapter, overcharging does not involve the procurement function but is linked to the approval process, receipt process, or payment process. Collusion is the key word in this scheme. The internal person is a control owner. The variables in overcharging are the expenditure category, the industry, responsibilities of the control owner participating in the scheme, and where the scheme occurs in the expenditure cycle. It would be impossible for anyone to describe all the overcharging permutations by industry, so this book will focus on the methodology and allow the fraud auditor to adapt the methodology to the industry and expenditure category.
The first step is to understand the inherent scheme structure of how overbilling occurs:
Fraud data analytic routines need to be designed around the opportunity to commit the scheme and the method of overbilling. The fraud data analysis starts by creating homogeneous data files based on the opportunity to commit the scheme, then the search for the overbilling techniques. The analysis typically requires creating multilayers of files to identify the specific fraud scenario. The reason for the opportunity analysis is to establish the intent factor through frequency analysis. The technique analysis is to identify the method of overbilling. In this book, we will discuss opportunity analysis from three perspectives:
Once the opportunity homogeneous data files are created, the second step of the analysis is to search for the various overbilling techniques. Based on my experience, the fraud auditor should start with an inflated unit price, false add‐on charges, and excessive item purchases scheme.
To avoid confusion, within the context of this chapter, the term purchase order includes either a purchase order or a contract. In regard to bidding procedure, the approach described will not distinguish between oral quotes, written quotes, or sealed bid procedures.
The basic assumption in this overbilling category is that procurement controlled the acquisition and the procurement function is not involved in the scheme. A purchase order is issued and the overbilling occurs through falsely approving changes to the purchase order, overriding the purchase order with invoice approvals, or the budget owner provides advance communication of a future change of the purchase mix and no change to the purchase order.
The overbilling in this scheme occurs after procurement through the false administration of the purchase order. So, do not be fooled by the evidence of written bids, written quotes, purchase orders, and contracts. The bidding process provides the illusion of sound internal controls, which effectively conceals the budget owner's intent to corrupt the procurement process.
The good news is that overbilling after procurement leaves an audit trail of change. Now the bad news: Since most vendors on your master file are real vendors, the sheer volume of data is a general concealment condition. Furthermore, changes to purchase orders are common, and changes to projected needs do occur. Whatever the reason, the key word is change.
The change fraud data analytics methodology in the false administration scenario is the search for change through the purchase order file or through the invoice file. This is not a matter of style but the search for different types of changes.
The change fraud data analytics strategy based on the purchase order file searches for the changes to the unit price, quantity, and dollar value of the purchase order. The goal is to identify a high frequency of change by vendor or department or changes that have a material impact on the dollar value.
The first step is to create two homogeneous data files: purchase orders with changes and purchase orders without changes. First, summarize the two files by vendor number, providing frequency, aggregate dollar value, maximum, minimum, and average. The first report is intended to provide gross statistical information. The second report would summarize by vendor number, providing frequency and aggregate dollar value of purchase orders with changes and without changes. The second report is to identify vendors with a higher frequency of purchase order changes.
The purchase order change report should also summarize by the person committing the scenario. The person committing the fraud scenario could be a buyer, department, or any other meaningful business grouping. The purpose of the summary report by person committing the scenario is to link the purchase order changes to a person.
Now that the planning reports are complete (remember the understand data step) the next step is to interrogate the data.
The types of purchase order changes that typically occur are
Specific identification strategy is initially used to create homogeneous data sets. In this scenario category purchase orders with no change would be excluded from the fraud data analysis because change is the key criterion. So, the first homogeneous data file is purchase orders with changes. In the second step, the purchase order should be disaggregated into two separate files, purchase orders with one invoice and purchase orders with multiple invoices. The reason for two files is because the change between one purchase order and one invoice is simply easier to see than when there are multiple invoices.
Using the purchase order change files, the fraud data analytics should search for the type of change, or change by buyer, or by general ledger category. The goal of the analysis is to identify a pattern and frequency of change that correlates to an internal person or a vendor.
As a reminder, our goal is to shrink the haystack in order that an anomaly becomes more visible to the naked eye. At this point, the fraud auditor could filter out the changes with an immaterial dollar change and use a sample selection methodology to select purchase orders within the change category, or the fraud auditor could continue with their fraud data analysis.
The change fraud data analytics strategy based on the invoice file is to summarize actual purchases described on the vendor invoice by line item and prepare the same summary for the purchase order. Then the next step is to search for change between vendor invoice summary of actual purchases to the line items on the original purchase order. The goal is to identify changes on a line item between the invoice summary and purchase order summary. There are two outcomes. The first outcome is a change to the total purchase order amount and a change to the mix. The second outcome is no change to the purchase order total amount but a change in the mix of the items purchased. The change in the mix provides the vendor with more favorable margins. In both approaches, the goal is to recreate the purchase selection process by comparing actual purchases to each vendor's bidding information to determine if the lowest‐cost vendor was in fact selected or if the change allowed the vendor to commit an overbilling scheme.
By purchase order number, summarize the vendor invoices by line item that links to each purchase order. Then summarize the purchase orders by line item. Compare the invoice summary to the purchase order summary and search for change on the line item. The goal is to identify changes in the mix of the actual items purchased to the mix of items on the original purchase order. The purchase orders with no change to the mix should be excluded from the fraud data analytics in this scheme. Now the fraud auditor has created a homogeneous file of changes.
Using the purchase order change file, link the invoices to the purchase orders that had the change criteria. The analysis follows the retrospective analysis introduced in the auditing standards.
The fraud data analysis in the invoice file is searching for a change in the mix of items purchased from the vendor. The change in mix is purchasing different quantities of items, different quality, or different items than described on the original purchase order. The change in mix can occur through one vendor in collusion with the budget owner or two vendors operating in collusion without the budget owner. Start with the budget owner permutation and one vendor.
The change in mix is the first indicator of a vendor and internal person operating in collusion. The fraud data analysis by itself will identify the change in the mix; it is the fraud auditor's job to determine if the change occurred through normal business evolution or the change occurred through intent to commit the scheme.
Change in the mix can also occur between two vendors. When you place an order for the item, the vendor indicates that it is out of stock for the item. Since the item is time critical, you purchase the item from the next‐lowest‐cost vendor in the bid file. The goal of the vendors is to sell only those items with the highest margins. In the procurement chapter, this scheme would be referred to as vendor bid rigging.
A good red flag of the two vendors operating in collusion is searching for a zero quantity purchase of a line item on a purchase order. In this scheme the vendor awarded the purchase order avoids selling those items with low margins and the vendor not awarded the purchase order fulfills your needs of the zero purchase line item selling the item at a high price.
The specific identification strategy using the invoice file would identify purchase orders by vendor that have a zero quantity of a purchase line item. The zero quantity item purchase order lines become a homogeneous data file. The next step is to determine if the zero purchase line item was procured from a different vendor. Using the line item, perform a duplicate test for duplicate line items but different vendor number. If the zero line item file is small, use the general ledger account as a common dominator for linking purposes, and perform the old hunt‐and‐peck approach.
The fraud auditor then must examine the facts and circumstances of the zero purchase line‐item schemes. Caution: The obvious criterion is a significant unit price difference between the two vendors. However, it is possible that both bid prices were inflated; therefore, no significant unit process changes are evident.
In the circumvent scheme, the budget owner circumvents the procurement function by creating requisitions below the bidding level and recommending a preferred vendor, or the budget owner purchases directly from the vendor through small‐dollar purchases; however, the purchases in the aggregate would require bidding procedures. The key word is circumvention through compliance with purchasing procedures.
The circumvention fraud data analytics strategy is based on small‐dollar purchase orders, small‐dollar invoices, and split invoices. The circumvention is how the internal source avoids the intent of procurement controls and provides the illusion of full compliance with procurement. A second avoidance strategy is the time extension of the purchase order, which effectively allows for avoidance of the procurement procedures. Circumvention can also occur when a real supplier operates under multiple names.
Specific identification strategy is used to create the file of vendors or buyers that meet the criteria of the scheme. The data interpretation strategy is used to identify the circumvention of the procurement process through small‐dollar transactions. The pattern was established through the specific identification strategy. The frequency of occurrence or the dollar magnitude of the small‐dollar transaction will be the basis of the data interpretation. The linkage factor starts with a vendor number and then on the line item, project number, department number, general ledger code associated with the purchase order, and the small‐dollar invoices.
The first step is to create two homogeneous data files based on bidding levels. The first file is all purchase orders below the bid level and the second file is all purchase orders above the bid level. If invoices are processed without purchase orders, then the same process would need to occur. The purchase orders and invoices above the bidding level are excluded from the next analysis.
Starting with the small‐dollar purchase orders, summarize the small‐dollar purchase orders by vendor, providing the frequency and aggregate dollar value of purchase orders. By vendor number, summarize the frequency and dollar value of small‐dollar invoices with no purchase order. Then create one report with three columns of data: small‐dollar purchase orders, invoices with no purchase order, and the aggregate of the two columns. Filtering of small‐dollar activity is critical because of the abstract nature of the data interpretation in the next phase. The fraud data analysis reports by their nature might be voluminous, which makes data filtering critical.
The concept of testing for splitting invoices is searching for split invoices by vendor number using the exact match in the duplicate test using invoice date and/or line items on invoices. These concepts were already discussed in the book.
In this scenario, the entity is real, the fraud profit is embedded in the invoice or purchase order, and no change is required to the documents. Therefore, the red flags are not visible in one transaction but would be visible over a period of time. A caveat: If the fraud auditor has superior knowledge about a specific purchase, the fraud auditor would be able to see the anomaly in a transaction. In a classroom setting, using one invoice from an equipment rental fraud scheme, a gentleman with 25‐plus years in the equipment rental business was able to see the fraud in two seconds. For the fraud auditor without superior knowledge, fraud data analytics is the methodology for identifying overbilling.
Fraud data analytics is a multi‐tiered approach, starting with internal control circumvention, use of change analysis followed by specific identification, and then the use of data interpretation through the use of change, trend analysis, or benchmarking to similar purchases. The fraud auditor will need to make a few assumptions in the analysis based on fundamental fraud theory. For example, the greed factor will cause the perpetrators to want more money. The fraud will continue until some event stops the fraud. The supplier and internal person are friends.
The first step in the circumvention strategy is to identify purchase orders that avoided procurement. By avoiding procurement, it means that no meaningful procurement procedures were performed on the selection of the vendor. The mere fact that a purchase order is issued does not indicate that meaningful procurement procedures were performed. The problem becomes how to identify such acquisitions. In this analysis, the fraud data analytics plan will need to make assumptions regarding how to identify circumvention. So, any invoice issued on the same day as the purchase order, or the purchase order is issued after the invoice date, becomes the first homogeneous data file. Therefore, all invoices where the purchase order is issued first are excluded from the analysis. The assumption in this decision is that procurement selected the vendor versus a budget owner.
In those companies that have bid codes in their procurement systems, the fraud data analysis would start by identifying which purchase orders were issued with a code, which indicates the purchase order was issued without a bidding process (e.g., sole source selection). Unfortunately, most companies do not have such a code. Therefore, your first internal control recommendation is for your company to require that a bid code become part of your data files.
The next step is to filter out what I have referred to as distraction vendors. To illustrate, payments to utilities, office rental, and mail delivery services usually match the data selection assumption. Since these vendors are not what the fraud data analysis is searching for, the vendors should be excluded from further analysis.
The next step is to summarize the purchases that circumvented purchasing by person, department, or line item of purchase, searching for the following change patterns:
Searching for change in vendors in large companies sounds good, but in reality is very difficult. The use of general ledger categories can facilitate the process because the general ledger category does create a common denominator of like purchases.
A second approach to search for vendor changes is to summarize by line item, sort the line items in date order, then by vendor number. The first record and last record analysis in the software is a great tool for this analysis. The process is searching for a change in vendor on a line‐item basis. Data filtering should be considered after the data summarization.
Using the change analysis, we now have two homogeneous data files: purchase orders with a change to supplier or internal person and purchase orders with no change to supplier or internal person.
The next step for both files is specification identification using a form of trend analysis by searching for increases in price or quantity of a line item over a period of time.
Using the exclusion theory, exclude from your analysis all line items that had no change in price or quantity consistent with your fraud theory. The next step is to determine the size of the resulting file. If the resulting files are large, data filtering based on the dollar size of the line item may be an effective technique to further reduce the size of the file.
The sample selection is based on data interpretation strategy based on the aggregate dollar value and the increase in unit price. A similar process is followed for add‐on charges and excessive purchases. Fraud data analytics for add‐on charges are discussed in the vendor alone section of the chapter. The excessive purchase scheme uses the quantity field and summarizes by line item. To be clear, this analysis is not easy; it is time consuming and requires patience. If the analysis results from an allegation, the process is easier because the analysis has a starting point as to vendor or internal person.
In this scenario, the internal person purchases items with the intent to commit a theft scheme for the purpose of selling the item. In some ways, this is one of the most difficult fraud scenarios to detect, because where does the fraud auditor start? The auditor's experience and knowledge of the company is paramount to selecting the starting point. It becomes an educated guess.
The good news about the scenario is that the frequency of purchase and aggregate dollar value are the best clues. If the item is inventory based, variances or write‐offs may provide a clue. Maybe the frequency and aggregate can be linked to a person.
Data interpretation is the best strategy for this fraud scenario. The fraud data analytics will start with the data summarization by expenditures, followed by the use of outlier analysis. The first summary is all about creating homogeneous data sets. The second summary is all about data interpretation. The sample selection is based on the fraud auditor's knowledge of the business. The fraud auditor is encouraged to select a department, expenditure area, a specific item to summarize. Trying to summarize all company data for this fraud scenario is too overwhelming. There are three overall strategies for data summarization:
The fraud data analytics should summarize purchases by a category by specific line items in the category. The analysis should focus on aggregate quantity of the specific item and aggregate dollar value of the purchase. The use of disaggregated analysis is critical to identify items that fit the theft pattern versus normal internal consumption. The sample selection is based on the quantity of the item purchased consistent with company needs.
For recorded assets, the data summarization should focus on the frequency and aggregate value of the write‐off. Hopefully, the fraud data analysis can link the write‐off to a person.
Service expenditures do not fit the concept of theft; however, services paid by the company that inure to the benefit of a company employee would fit the parameter of theft. The fraud auditor should consider expenditures that would have a personal benefit.
In one project, a factory supply manager was purchasing all supply items from one supplier. Closer examination of all the supply purchases revealed a high quantity of ladders. The supply manager was selling the ladders. To further illustrate expenditure areas involving theft‐for‐resale schemes based on my experience: copy paper, copper cabling, IT supplies, and small tools.
The first place to look for this scenario is in the procurement card purchases. Chapter 10 will cover these expenditures. The difficulty associated with the personal expense analysis is that by the nature of the scenario, the expenditure is typically small dollar and low frequency.
The targeted expenditure approach is effective for finding personal expense scenarios. One approach is to subjectively identify departments that by the nature of the department purchase items in the normal course of the business that would also have a personal nature to the expense. To illustrate the concept, think about the types of items purchased by IT or marketing.
Conflict of interest is the process of paying for goods or services that are received from the vendor but an internal employee has an undisclosed ownership in the vendor. In Chapter 6, we discussed that conflict‐of‐interest entity has either one customer or multiple customers. The transactional analysis will vary based on the number of actual customers that the conflict‐of‐interest entity serves.
The transactional profile of a conflict‐of‐interest entity with one customer is similar to the transactional profile of a false billing shell company. When the conflict‐of‐interest entity has a few customers, the transactional profile is similar to the pass‐through scheme operated by the salesperson. When the conflict of interest has many customers, the fraud data analytics would follow the overbilling scenario.
Searching for fraud in the disbursement cycle is like fishing for trout in a fully stocked pond. It is only a matter of time before you catch a trout. The analogy is the same for performing fraud analytics in the payment cycle. It is only a matter of time before you find fraud.
There are more than 50 common fraud scenarios in the disbursement cycle. When considering company‐specific, internal control inhibitors, expenditure, or industry‐specific, the numbers of fraud scenarios become staggering. However, by understanding the power of the fraud scenario methodology, the search for fraud in the trout pond becomes easier.
If there is a limited time budget, what are the three fraud data analytics tests the fraud auditor should perform, and why should the fraud auditor perform the analysis?