Top 25 Tests for Analytic Superheroes - St. Louis · PDF fileTop 25 Tests for Analytic...
-
Upload
nguyendiep -
Category
Documents
-
view
216 -
download
1
Transcript of Top 25 Tests for Analytic Superheroes - St. Louis · PDF fileTop 25 Tests for Analytic...
Top 25 Tests for Analytic Superheroes • Presented by: Phil Lim, Product Manager, ACL
• ACL Connections, June 2014
OBJECTIVE: Superhero combat techniques and analytic superweapons to battle the super villains of FRAUD, WASTE, AND ABUSE
TARGET Areas
3
Travel and Entertainment •T&E
General Ledger and Record to Report •GL/R2R
Payroll •Including Human
Resources / Timekeeping
IT •Information
Technology and Access
Purchase to Payment •P2P
Order to Cash •O2C
RULES for Analytic Testing
RULE #1: QUICK WINS Choose a specific, narrow risk where there are likely findings.
RULE #2: Use Proper Tools Battling super villains takes analytic super weapons and super powers.
What’s in your toolbelt?
AREA 1: Travel and Entertainment Expenses (T&E)
Data Acquisition for Travel and Entertainment Expenses
8
Discover existing data feeds. For organizations using Concur, you’re probably already receiving the Standard Accounting Extract (SAE) Which data fields are required? (refer to handout)
T&E Split Purchases
• An employee submits two separate expense transactions for a single expense to avoid a transaction limit.
Risk
• Identify travel and entertainment (T&E) expenses by the same employee, to the same expense type, on the same date, where each expense is less than the limit, but total to greater than the limit.
Test
TEST #1
Analytic Superweapon: Detecting Splits!
1. Define your threshold – E.g., $75 meal limit
2. Filter out transactions below the threshold
3. Subtotal amounts based on key fields
– E.g., ACL SUMMARIZE on Employee, Expense Date, Expense Type, SUBTOTAL amount
4. 4. Identify amount subtotals greater than threshold
T&E Double Dip
• An employee submits a corporate card transaction receipt as an out-of-pocket (OOP) expense for reimbursement.
Risk
• Identify travel and entertainment (T&E) expense transactions where there is both a corporate card transaction and an out-of-pocket (OOP) to the same employee for the same amount.
Test
TEST #2
Analytic Superweapon: Detecting Splits!
1. Bucket transactions into groups using a conditional computed field for payment type
E.g., OOP, Corporate Card
2. Determine whether there are any transactions by same employee with the same amount but different payment types
T&E Gasoline, Mileage, and Car Rentals
• An employee submits a gasoline expense when using a personal vehicle for corporate travel.
Risk
• Identify travel and entertainment (T&E) expense transactions where there is both a corporate card transaction and an out-of-pocket (OOP) to the same employee with the same amount.
Test
TEST #3
T&E Expense Profiling
• A corporate culture exists where travel and entertainment (T&E) expenses are not well controlled.
Risk
• Identify average expense transaction sizes by business unit/division/department.
Test
TEST #4
T&E Excessive Group Meals
• Documentation of group meal attendees is incomplete, creating a compliance or policy issue.
Risk
• Identify average amount of group meals per attendee; report cases where the average amount per attendee is greater than a specified threshold.
Test
TEST #5
T&E Round Amounts
• Transactions with round amounts may be an indication of use for purchasing gift cards or cash advances.
Risk
• Identify transactions with amounts that are divisible by a specified divisor, totaling greater than a specified threshold for an employee.
Test
TEST #6
Analytic Superweapon: Detecting Splits!
1. Bucket transactions into groups using a conditional computed field for payment type
E.g., OOP, Corporate Card
2. Determine whether there are any transactions by same employee with the same amount but different payment types
T&E Dormant Cards
• Lost or stolen corporate cards may be used for fraudulent purchases.
Risk
• Identify all active corporate cards that have not had any transactions for the previous X days.
Test
TEST #7
AREA 2: Record to Report (R2R) / General Ledger (GL)
Data Acquisition for Record to Report and General Ledger
20
1. Some of the largest data sets
2. Posting dates vs. effective dates vs. entered dates vs. modified dates
3. Reversed entries
Suspicious Keyword in Journal Entries
• Posted entries may not be authorized or valid.
Risk
• Identify any journal entries containing descriptions that could indicate an invalid or suspicious entry.
Test
TEST #8
GL Stratification of Accounts
• Posted entries may not be authorized or valid.
Risk
• Stratify a particular general ledger account to look for journal entries that are outside of the normal range of values posted to the account.
Test
TEST #9
GL Entries with Outlier Amounts
• Posted entries may not be authorized or valid.
Risk
• Select journal entries that deviate more than two standard deviations from the average posted amount to the account.
Test
TEST #10
AREA 3: Payroll (PAY), Timekeeping, and Human Resources (HR)
Data Acquisition for Payroll, Timekeeping, and Human Resources
25
Key systems • HR Data
Employee Master data: employee names, statuses, start dates and end dates, salaries, titles, reporting structures
• Payroll Transaction data Pay checks: deductions, pay codes
• Timekeeping data Timesheets: worked hours, approvals, overtime
Common Application Systems • Peoplesoft, Kronos, ADP
PAYROLL - Multiple Salary Increases
• Unauthorized salary increases create an opportunity for fraud or waste.
Risk
• Identify any employees with more than three different base salaries in the past 12 months.
Test
TEST #11
PAYROLL - Timesheet Self-Editing
• Unauthorized changes to historical paycodes may represent an opportunity for waste and fraud.
Risk
• Identify any employees that have applied more than a certain threshold of paycode edits to their own timecards within the investigation period.
Test
TEST #12
PAYROLL – Phantom Employees
• Phantom employees on the payroll may be used to channel funds to an unauthorized party, or as a vehicle for fraud.
Risk
• Identify duplicate employee records where there is more than one employee associated with the same bank account or address.
Test
TEST #13
Information Technology and Information Systems (IT)
AREA 4:
IT – Segregation of Duties
• An employee’s temporary access or changes in role may allow a breach in segregation of duties to occur.
Risk
• Identify invoices where the creator or modifier of the invoice is also the creator or modifier of the vendor.
Test
TEST #14
IT – Privileged User Access
• Users with elevated access for system administration or maintenance abuse their access.
Risk
• Identify prohibited activities by super users for review by management.
Test
TEST #15
AREA 5: Purchase to Payment (P2P)
Data Acquisition for Purchase to Payment
33
Key Data Elements • Requisitions, Purchase Orders, Receivables • Invoices, Payments • Vendors, Vendor Addresses, Vendor Bank Accounts
Common Application Systems • Peoplesoft, Kronos, ADP
P2P – Employee Vendor Match
• Vendors matching employee addresses may be used to channel funds to an employee in an unauthorized manner.
Risk
• Identify invoices to vendors matching the numeric address of an employee.
Test
TEST #16
P2P – Non-PO Purchases
• Vendor payments not following the standard purchasing process present a higher risk.
Risk
• Identify vendors with non-PO transactions greater than a specified threshold.
Test
TEST #17
P2P – Duplicate Payments (Duplicate Vendors)
•Multiple vendors exist in the payables system leading to duplicate payments
Risk
• Identify invoices with the same amount, to different vendors, with one of: • Same numeric address • Same bank account • Same vendor tax id • Same vendor name • Same invoice document reference
Test
TEST #18
P2P – Duplicate Payments (miskeying invoice number)
• A miskeying of the invoice number leads to a duplicate payment.
Risk
• Identify invoices with the same amount, to the same vendor, with different invoice number pattern.
Test
TEST #19
P2P – Blanket Receipts
• Purchases for services or multiple scheduled shipments are received all at once, creating a recognition issue and a risk that the services/goods are never received.
Risk
• Identify purchase receipts larger than a threshold where the largest related invoice is smaller than a certain percentage of the purchase receipt.
Test
TEST #20
P2P – Vendor Master Changes
• Critical data elements of a vendor may be manipulated to channel funds to an unauthorized party.
Risk
• Identify vendors where critical data elements (address, bank account number, name) have changed more than X times in a short time.
Test
TEST #21
P2P – Early Payments
• Early payments present an opportunity cost of capital and may be an indication of a conflict of interest between an employee and vendor.
Risk
• Based on a standard payment term and cost of capital rate, identify early payments that have created an opportunity cost greater than a threshold.
Test
TEST #22
AREA 6: Order to Cash (O2C)
Data Acquisition for Order to Cash
42
Considerations • Conditional Pricing • Customers • Discounts • Accounts Receivable
O2C – Channel Stuffing
• Sales orders created during critical periods (e.g., at the end of the fiscal quarter) are sold in higher quantity than necessary and/or heavily discounted, resulting in an overstatement in revenues or overpayment of commissions.
Risk
• Identify patterns of potential channel stuffing in sales representatives, sales management, or sales branches/locations.
Test
TEST #23
O2C – Customer Credit Limits
• Credit limits to customers are not reviewed on a regular basis.
Risk
• Identify customers with unusual credit limits or with credit limits that have not been reviewed in more than X months.
Test
TEST #24
O2C – Sanctioned Customer Testing
• The organization is doing business with an entity that is on a sanction list by the US government.
Risk
• Report transactions with customers having names matching the SAM list (System for Award Management, sam.gov).
Test
TEST #25