Top 25 Tests for Analytic Superheroes • Presented by: Phil Lim, Product Manager, ACL

• ACL Connections, June 2014

OBJECTIVE: Superhero combat techniques and analytic superweapons to battle the super villains of FRAUD, WASTE, AND ABUSE

TARGET Areas

3

Travel and Entertainment •T&E

General Ledger and Record to Report •GL/R2R

Payroll •Including Human

Resources / Timekeeping

IT •Information

Technology and Access

Purchase to Payment •P2P

Order to Cash •O2C

RULES for Analytic Testing

RULE #1: QUICK WINS Choose a specific, narrow risk where there are likely findings.

RULE #2: Use Proper Tools Battling super villains takes analytic super weapons and super powers.

What’s in your toolbelt?

AREA 1: Travel and Entertainment Expenses (T&E)

Data Acquisition for Travel and Entertainment Expenses

8

Discover existing data feeds. For organizations using Concur, you’re probably already receiving the Standard Accounting Extract (SAE) Which data fields are required? (refer to handout)

T&E Split Purchases

• An employee submits two separate expense transactions for a single expense to avoid a transaction limit.

Risk

• Identify travel and entertainment (T&E) expenses by the same employee, to the same expense type, on the same date, where each expense is less than the limit, but total to greater than the limit.

Test

TEST #1

Analytic Superweapon: Detecting Splits!

1. Define your threshold – E.g., $75 meal limit

2. Filter out transactions below the threshold

3. Subtotal amounts based on key fields

– E.g., ACL SUMMARIZE on Employee, Expense Date, Expense Type, SUBTOTAL amount

4. 4. Identify amount subtotals greater than threshold

T&E Double Dip

• An employee submits a corporate card transaction receipt as an out-of-pocket (OOP) expense for reimbursement.

Risk

• Identify travel and entertainment (T&E) expense transactions where there is both a corporate card transaction and an out-of-pocket (OOP) to the same employee for the same amount.

Test

TEST #2

Analytic Superweapon: Detecting Splits!

1. Bucket transactions into groups using a conditional computed field for payment type

E.g., OOP, Corporate Card

2. Determine whether there are any transactions by same employee with the same amount but different payment types

T&E Gasoline, Mileage, and Car Rentals

• An employee submits a gasoline expense when using a personal vehicle for corporate travel.

Risk

• Identify travel and entertainment (T&E) expense transactions where there is both a corporate card transaction and an out-of-pocket (OOP) to the same employee with the same amount.

Test

TEST #3

T&E Expense Profiling

• A corporate culture exists where travel and entertainment (T&E) expenses are not well controlled.

Risk

• Identify average expense transaction sizes by business unit/division/department.

Test

TEST #4

T&E Excessive Group Meals

• Documentation of group meal attendees is incomplete, creating a compliance or policy issue.

Risk

• Identify average amount of group meals per attendee; report cases where the average amount per attendee is greater than a specified threshold.

Test

TEST #5

T&E Round Amounts

• Transactions with round amounts may be an indication of use for purchasing gift cards or cash advances.

Risk

• Identify transactions with amounts that are divisible by a specified divisor, totaling greater than a specified threshold for an employee.

Test

TEST #6

Analytic Superweapon: Detecting Splits!

1. Bucket transactions into groups using a conditional computed field for payment type

E.g., OOP, Corporate Card

2. Determine whether there are any transactions by same employee with the same amount but different payment types

T&E Dormant Cards

• Lost or stolen corporate cards may be used for fraudulent purchases.

Risk

• Identify all active corporate cards that have not had any transactions for the previous X days.

Test

TEST #7

AREA 2: Record to Report (R2R) / General Ledger (GL)

Data Acquisition for Record to Report and General Ledger

20

1. Some of the largest data sets

2. Posting dates vs. effective dates vs. entered dates vs. modified dates

3. Reversed entries

Suspicious Keyword in Journal Entries

• Posted entries may not be authorized or valid.

Risk

• Identify any journal entries containing descriptions that could indicate an invalid or suspicious entry.

Test

TEST #8

GL Stratification of Accounts

• Posted entries may not be authorized or valid.

Risk

• Stratify a particular general ledger account to look for journal entries that are outside of the normal range of values posted to the account.

Test

TEST #9

GL Entries with Outlier Amounts

• Posted entries may not be authorized or valid.

Risk

• Select journal entries that deviate more than two standard deviations from the average posted amount to the account.

Test

TEST #10

AREA 3: Payroll (PAY), Timekeeping, and Human Resources (HR)

Data Acquisition for Payroll, Timekeeping, and Human Resources

25

Key systems • HR Data

Employee Master data: employee names, statuses, start dates and end dates, salaries, titles, reporting structures

• Payroll Transaction data Pay checks: deductions, pay codes

• Timekeeping data Timesheets: worked hours, approvals, overtime

Common Application Systems • Peoplesoft, Kronos, ADP

PAYROLL - Multiple Salary Increases

• Unauthorized salary increases create an opportunity for fraud or waste.

Risk

• Identify any employees with more than three different base salaries in the past 12 months.

Test

TEST #11

PAYROLL - Timesheet Self-Editing

• Unauthorized changes to historical paycodes may represent an opportunity for waste and fraud.

Risk

• Identify any employees that have applied more than a certain threshold of paycode edits to their own timecards within the investigation period.

Test

TEST #12

PAYROLL – Phantom Employees

• Phantom employees on the payroll may be used to channel funds to an unauthorized party, or as a vehicle for fraud.

Risk

• Identify duplicate employee records where there is more than one employee associated with the same bank account or address.

Test

TEST #13

Information Technology and Information Systems (IT)

AREA 4:

IT – Segregation of Duties

• An employee’s temporary access or changes in role may allow a breach in segregation of duties to occur.

Risk

• Identify invoices where the creator or modifier of the invoice is also the creator or modifier of the vendor.

Test

TEST #14

IT – Privileged User Access

• Users with elevated access for system administration or maintenance abuse their access.

Risk

• Identify prohibited activities by super users for review by management.

Test

TEST #15

AREA 5: Purchase to Payment (P2P)

Data Acquisition for Purchase to Payment

33

Key Data Elements • Requisitions, Purchase Orders, Receivables • Invoices, Payments • Vendors, Vendor Addresses, Vendor Bank Accounts

Common Application Systems • Peoplesoft, Kronos, ADP

P2P – Employee Vendor Match

• Vendors matching employee addresses may be used to channel funds to an employee in an unauthorized manner.

Risk

• Identify invoices to vendors matching the numeric address of an employee.

Test

TEST #16

P2P – Non-PO Purchases

• Vendor payments not following the standard purchasing process present a higher risk.

Risk

• Identify vendors with non-PO transactions greater than a specified threshold.

Test

TEST #17

P2P – Duplicate Payments (Duplicate Vendors)

•Multiple vendors exist in the payables system leading to duplicate payments

Risk

• Identify invoices with the same amount, to different vendors, with one of: • Same numeric address • Same bank account • Same vendor tax id • Same vendor name • Same invoice document reference

Test

TEST #18

P2P – Duplicate Payments (miskeying invoice number)

• A miskeying of the invoice number leads to a duplicate payment.

Risk

• Identify invoices with the same amount, to the same vendor, with different invoice number pattern.

Test

TEST #19

P2P – Blanket Receipts

• Purchases for services or multiple scheduled shipments are received all at once, creating a recognition issue and a risk that the services/goods are never received.

Risk

• Identify purchase receipts larger than a threshold where the largest related invoice is smaller than a certain percentage of the purchase receipt.

Test

TEST #20

P2P – Vendor Master Changes

• Critical data elements of a vendor may be manipulated to channel funds to an unauthorized party.

Risk

• Identify vendors where critical data elements (address, bank account number, name) have changed more than X times in a short time.

Test

TEST #21

P2P – Early Payments

• Early payments present an opportunity cost of capital and may be an indication of a conflict of interest between an employee and vendor.

Risk

• Based on a standard payment term and cost of capital rate, identify early payments that have created an opportunity cost greater than a threshold.

Test

TEST #22

AREA 6: Order to Cash (O2C)

Data Acquisition for Order to Cash

42

Considerations • Conditional Pricing • Customers • Discounts • Accounts Receivable

O2C – Channel Stuffing

• Sales orders created during critical periods (e.g., at the end of the fiscal quarter) are sold in higher quantity than necessary and/or heavily discounted, resulting in an overstatement in revenues or overpayment of commissions.

Risk

• Identify patterns of potential channel stuffing in sales representatives, sales management, or sales branches/locations.

Test

TEST #23

O2C – Customer Credit Limits

• Credit limits to customers are not reviewed on a regular basis.

Risk

• Identify customers with unusual credit limits or with credit limits that have not been reviewed in more than X months.

Test

TEST #24

O2C – Sanctioned Customer Testing

• The organization is doing business with an entity that is on a sanction list by the US government.

Risk

• Report transactions with customers having names matching the SAM list (System for Award Management, sam.gov).

Test

TEST #25

For more information please contact me:

Phil Lim

phil_lim@acl.com