Finding the enemy within: improving your internal audit with forensic data analytics

By Deepak Pillai and Jack Dong, Clayton Utz

While internal audit can always review an organisation’s process and procedures, it cannot always detect the minor frauds – which is where forensic data analytics can play a vital role.

One of the misconceptions around corporate fraud is that it’s perpetrated from the outside – that offshore cyber criminals, master hackers and internet gangs are using advanced technologies to wreak havoc on corporations and institutions from afar.

Insurance behemoth Allianz asked 1900 business respondents in 88 countries this year what were their most feared “risk events”. The bulk of respondents believed their companies were most at risk to cyber fraud, ransomware and/or outside intrusion of proprietary data.

The truth is, fraud is the enemy within. Asset misappropriation, the common art of stealing, reigns supreme as the most likely malfeasance perpetrated on a company. Who is more likely to have access to client details and personal information about customers and employees – people on the inside or people on the outside?

It is the misappropriation of cash, the raising of fake invoices and payments made to non-existing suppliers or employees which still bedevil most companies and government bodies.

These age-old abuses are mainly placed under the protection and surveillance of the internal audit team, which covers the weaker links of an organisation – its outgoings, that is, payrolls, accounts payable, capital expenditure and the deployment of working capital.

While internal audit can always review an organisation’s process and procedures, it cannot always detect the minor frauds, the everyday sleights-of-hand which are the most common features of internal fraud.

Finding them has increasingly become the province of forensic data analytics. Data analytics can locate the payments made on a Sunday afternoon, match supplier addresses to employee addresses and seek out false bank accounts, ghost vendors and duplicated bank details.

It can check if payee details have been changed after the approval process and before a payment file has been uploaded. The systems can diagnose data related to value, volume or date/time or to system user ID type issues, all of which can greatly assist compliance, risk and internal audit teams.

In data analytics, two processes are being applied. The first is historic – the search engine and data mining capabilities are founded on a risk library accumulated over years of experience – it knows the most common ways employees and/or managers can circumvent controls, how people in individual business units and departments might plausibly commit fraud. It knows how those in capital expenditure or accounts payable might deceive for personal gain in a way that might differ from those in procurement or expenses.

The second is understanding the company’s own exposures. This revolves around extracting a company’s proprietary data from the system and testing its fallibility. The analytics can identify the company’s weak points and can create tailored rules to cover the areas or processes most at risk.

Data analysis asks the tough questions of all the major expense units in a company. These include:

  • Procurement: Have there been invoices split to circumvent the delegation limits or are there vendors in the master file that were once employees? What payment controls are in place? Do vendors have the same bank accounts as any of the employees?
  • Payroll: Were payments made to terminated or fake employees; which personnel could make unauthorised changes?
  • Travel, expenses, overtime and holiday pay: Did an employee claim the same expense multiple times; did he or she create extra overtime; was holiday bonus paid, the holidays taken cashed out and then fictitiously reinstated?
  • Capital expenditure: Which project managers and providers tend to request variations? Were purchase orders created retrospectively after receipt of invoices? Could operating expense items be posted as capital expense (or vice versa) to take advantage of an existing budget?
  • General ledger: Were there journal entries that may relate to bribery or corruption? Were there unusual journal pairings that indicate profit manipulation?

Only a few years ago the idea that systems could monitor insider trading and corruption by analysing employee linguistic patterns would have been scoffed at. Now systems can “read” the fraud vernacular across social media and emails, chat rooms and text messages – what experts call “unstructured data”.

Analytics can now monitor digital communication between employees, assess cyber exposure, perform text mining to identify patterns and unauthorised behaviours as well as the means to check an employee’s entitlements against actual amounts paid.

The end game is very much about process improvement. Analytics pinpoints where processes aren’t being followed even though internal audit may point to due diligence being followed. The data does not lie. It can show whether processes are being adhered to, bypassed or being “mis-delegated” to unauthorised personnel.

Forensic analytics is not just about fraud. It is equally about waste and error. For example, a system could run checks for duplicate invoices – it is not uncommon for a vendor to have mistakenly sent two invoices by accident, and the payables department to have paid out the amount twice. The duplicates may have been intentional, but just as often they are not.

The company monitoring its own data flows will see it as a dashboard which looks at all of the above and allows an organisation to have a very clear oversight of fissures and cracks in its internal operations.

Deepak Pillai is a Director at law form Clayton Utz and a highly experienced data analytics professional. Jack Dong is Manager, Forensic and Technology Services, Sydney.