By Deepjee Singhal, Manish Pipalia, Chartered Accountants
Internal Audit
Introduction :
Ray the Head — Audit, Risk Management and Forensics of a
manufacturing major — ‘D & B’ was making a presentation on ‘Role of Internal
Audit and Management Assurance Services in detecting indicators of frauds — that
is — red flags’ to the Audit Committee, because the Audit Committee had
queried :
“To what extent should internal audit be responsible to
detect indicators of frauds and provide early warning signals ?”
The presentation sought to present the role of the internal
auditor in the context of the new IT-enabled business environment and the focus
of the assurance teams on IT controls, risk management, physical document-based
audits and compliance requirements under various regulations. One important tool
that could be used in this scenario is Generalised Audit Softwares (GAS). These
tools aid an assurance team to identify trends, patterns and query data for
other indicators of fraud while maintaining the cost of review and timeliness of
conclusions.
The Audit Committee was supportive of the presentation made
by Ray and asked him to implement the GAS and present the red flags detected as
a result of the forensic review in the next quarter meeting.
Methodology :
The Chief Internal Auditor set up a mid-size team within the
department to take the initiative of implementing the GAS in the Company. The
team comprised 2 senior audit officials (who among them had a wide range of
experience in various process activities of the company like procurement, sales,
finance and administration), a Certified Fraud Examiner and an Information
Systems Auditor. The team also retained the services of a retired CBI Officer
who was an expert in economic offence interrogations.
The entire audit manual was reviewed and specific forensic
objectives were mapped for possible audit tests that could be conducted using a
GAS and otherwise. The method of using the GAS was debated and discussed by the
group in a way that data integrity, confidentiality and availability of the
production server was not compromised and the objectives were also met.
While it was not possible to log onto the production server
due to access restrictions maintained by the Database Administrator, the team
was faced with a challenge to import data for further analysis.
The team decided to connect to specific data dumps (Print
Report Dumps from various modules of the ERP like materials, sales, etc.)
provided by the DGM-IT. The data dump was provided by running a File Transfer
Protocol (FTP) on the Reporting Server, which is also used for reporting tools
like Discoverer.
Illustrative observations highlighting the red flags detected
(In all these instances, the audit scope was suitably
modified and was followed through to its conclusion)
Accounts payables :
Potential employee-vendor nexus :
The engagement team obtained key master data concerning
vendors and employees. The vendor master data had crucial field data like
telephone number, address, tax code, and bank account number. The employee
master data had vital fields like date of birth, bank account number, PAN, etc.
The team solicited special approvals from the ‘Supply Chain
Management Wing’ and the ‘Human Resources Wing’ to obtain confidential and
privileged master data. Upon getting the data in hand, the team extracted the
data into the GAS and set up the imported data for key comparisons.
The JOIN function was used to link the two databases on the
telephone number and bank account field individually. A quick review of the
result indicated some unexpected linkages, for example, the
address fields for some of the vendors and employees seemed to resemble each
other — similar but not the same. Interrogation followed this crucial data
crunching exercise, where surprise calls were placed to the registered telephone
numbers. On the basis of voice recognition and investigative visits, it was
conclusively stated that key vendor-employee links existed within the company.
Payroll :
Employees who have not availed of sick leave, casual leave or
travel leave in the last 3 years.
The investigation team consulted with the Human Resources
Wing of the company. Employees who tend to attend work regularly without leave
are normally watched by forensic auditors. These employees could be at the heart
of a long-drawn, deep-rooted system fraud as they normally assume key roles in
the organisation without much segregation of duty for long tracts of time. Their
supervisors never suspect their actions and continued service is considered a
merit.
The data under consideration was ‘leave availed’ data for the
last 3 years and employees on company rolls for the last 3 years.
Upon flat file report import, all the employees who had
consumed leave in the last 3 years were summed up. This summation file was
excluded from the file of all employees on the company rolls for the last 3
years using the JOIN function.
The resultant file brought to the fore existing employees of
long-standing nature, who had never consumed leave. In fact on a closer review
with the HR Wing, many of the cases detected were also on the CLOSE-WATCH
OVERTIME list.
The input was used to modify the audit objectives and tests
for identifying any irregularity.
Accounts Receivables :
Inconsistent scheme discount rates offered by Billing to different customers against the same scheme.
The fields of reference relevant to the red-flag being tested were identified as :
The process of interrogation followed was as such:
- Field manipulation, appending a computed virtual numeric field discount % with the criteria (Scheme discounts*100/Gross sale value), rounded off to the nearest integer.
- Navigating to analysis in the menu tool bar and selecting duplicate key exclusion – Celebrated De-Dup Test.
- In duplicate key exclusion, identifying different discount % values for the same scheme number.
- A list of cases where varying discount % had been applied for the same scheme number was easily identified.
- Some cases were extremely glaring, with the discount % being as high as 45%, where the scheme warranted a discount of 15% only.
These cases were taken up for one on one interrogation with the Billing clerks, to ascertain their motive.
Information Technology:
Detecting transactions out of office hours in Access Logs
The fields of reference relevant to the objective being tested were:
The process of interrogation in the GAS was elaborate and clear.
- Extraction on the Access Log File.
- A criterion was designed using the function .NOT. @betweenagetime(StartTime, 1/10:00:001/, 1/22:00:001/) .OR… NOT. @betweenagetime(End Time, 1/10:00:001/, 1/22:00:001/)
- This criterion helped isolate all transactions out of the normal working hours of 10 AM to 10 PM. Here both Start time and End time were trapped.
- The Indexed Direct Extraction function of GAS is very popular on large databases, say, upwards of 100 million transactions. The function first sorts the entire database and then runs the equation through the sorted database. Hence, the results are processed faster as compared to running a direct extraction command on an unsorted database.
Cases observed revealed extensive prolonged login sessions by the Database Administrator during late night sessions. Few cases revealed attempted access by an unknown user with super-user rights. It was later discovered that this user was created during the last system migration with unlimited access and change modification rights. Ironically his user profiles had not been deleted or disabled permanently within the system.
Conclusion:
Some of the indicators that were highlighted using the GAS existed all these years. But the auditor did not have the tool to identify the same within a reasonable timeframe and also provide assurance in other areas. It therefore allowed the audit team to move beyond the ‘priority’ set by the Audit Committee. The IT was also excited about the possibilities which such a tool could have for their forensic security reviews also on a regular basis and initiated a review of the same with special watch on cyber security. Further, Ray made it mandatory for the company’s outsourced internal auditors to use a GAS for their branch audits using similar methodologies as them.
As a seasoned user of the GAS, Ray laid down the structure for Continuous Control Monitoring of specific forensic objectives through automation of tasks and scheduling within the GAS.
The Audit Committee appreciated the innovative steps taken by Ray, including his efforts at clarifying the role of internal auditor in fraud identification. All audit plans included some dimension of fraud reviews without going in for full investigation.
