Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes. Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) have repeatedly stated that data analysis expertise is a much-needed skill, and surveys by the ACFE and CPA firms over the past 10 to 15 years have rated data extraction, data analysis, and analytical software as critical tools for effective internal audit organizations. Why then do more than half of organizations—according to those same surveys—still rate their analytic capability as poor or needing improvement? The reality is that change is difficult.
It Starts with a Plan
Analytics must be integrated in all aspects of fraud risk identification, assessment, investigation, communication, mitigation, and continuous monitoring. We can’t simply wish data analytics into existence or hope that it will crop up organically. To successfully integrate data analysis into the investigation process you must have a formal development and implementation plan. The plan must address the need for staffing at the appropriate level, skills, knowledge, and number; technology, including software; and fraud risk assessment and investigation processes and data analytics.
It also takes a real commitment; you will need to change the way you currently perform investigations. It must also have a project manager who will be held accountable for delivery on the plan, clear objectives, milestones, and a reporting requirement. Reporting should go to the CEO and the Board to ensure they understand and fully support the adoption of analytics.
The plan should define the Objectives, Goals, Strategies, and Measures (OGSM) for the use of analytics. This helps to ensure that all members of the team and all level of the organization understands the role analytics can and will play in the fraud risk management process.
Sample OGSM
Objectives:
Data analytics and AI capability will be used to add significant value to the fraud risk management process
Data analysis is a key component of the way in which technology will be used to transform the efficiency, effectiveness and value-add of the fraud risk management process
Data analysis is a key driver of an integrated approach to audit, fraud risk identification and assessment, control testing and potential fraud investigation
Goals:
To ensure that the organization has access to standard data sources, understands and has the capability to access and use these data sources, and employ data analytics in support of the fraud risk management process and throughout the investigative process (planning, conduct, reporting and follow-up).
Strategies:
Identify guidance to support investigators and auditors in obtaining data and using analytics
Identify/develop training that will enable staff to perform analytics
Use standard data extracts, analytics, and visualization to support fraud risk management.
Measures:
X% of fraud risk identification and assessment planning process includes quantitative analytics.
Data analysis used on X% of fraud risk assessments and Z% of investigations within a Y month timeframe
Reduction in the cycle time of X% for investigations using data analysis
Data analysis results in X% increase in positive feedback about value added by investigative personnel
X fraud risk assessments will include automated repeatable analysis routines by Y date
X% reduction in hours spent on manual controls testing procedures
People
A successful fraud risk management analytics program involves far more than acquisition of data analysis software and training in its use. Other sections of this guide describe the stages in the analytics process, as well as the typical resource and knowledge requirements. A variety of roles are involved throughout the analytics process. Changes in roles also occur as use of analytics becomes more mature within an audit department. Investigative team leaders should have a good understanding of the different roles and how to organize them to best effect within a given team.
The success of developing and maintaining a sustainable FRM analytics program depends heavily upon the people, knowledge, and skillsets available. In addition to the audit committee, internal audit, and management, the organization also may include professionals with specific domain expertise, e.g., legal, compliance, investigations, emerging markets, human resources, geographic/cultural, and technology on the investigative team. The team can be internal, external or a combination of internal and external resources. Planning for the use of analytics should include establishing an inventory of the required knowledge and skills and determining how to best meet those needs through training and the experience of resources.
Analytics requires an understanding of the business processes, the data supporting them, and a solid grasp of investigation process and requirements, including the application of the professional and legal standards. None of these will be provided by junior level programming resources. Rarely will all these skills exist within one individual, and they might not already exist in your audit organization. Rather than being an impediment, this should be seen as an opportunity to obtain the right resources and task them with a clear objective.
Organization size and complexity are factors in determining the extent to which data analytics are integrated into a Fraud Risk Management Program. If you are lucky and have the appropriate type of resources in your organization already – often in the internal audit shop - then you are ahead of the game. Existing personnel already know the business processes and have the investigative skills, and perhaps have some analytical capabilities. However, they will need to be supported by training and software; and given sufficient time to develop the skills and implement the functionality. Most importantly, they will need to be dedicated to analytics. Otherwise, you end up pulling valuable resources away from other priorities and tasking them with something in addition to what they are already doing; or settle for a subset of the required skills. In either case, it is a recipe for failure.
A statement often heard is: “We are an organization, and we can’t afford to dedicate a person to analytics.” Indeed, lack of staffing is a common rationale for not using data analytics. But does having a small team mean you can afford to be less efficient and effective? The reality is, unless you are using analytics, you are not addressing risk, testing controls, examining compliance, and improving business operations, and identify, assessing and investigation fraud risk to the extent that you could be. A good place to start developing the FRM analytics capability is within the internal audit function. Auditor can use analytics on a continual basis – for all audits – and improve their knowledge of the underlying systems, data, and analytics making them ready to support any investigation.
If you are going to decide not to use data analytics, at least make it an informed decision. Examine the costs and benefits and then decide. Don’t simply look at your existing resources, which are most likely being used to the maximum, and decide that you can’t take on anything else. It is not a question of doing more with the same resources. Ask yourself if there are things that you don’t need to be doing or if they are better ways to do what you need to do. Also look at what you are not doing and determine the value-added if you could do those things. Then decide if you can afford not to be using data analytics.
Technology
A common question for organizations just starting out on data analytics is which software package to use. The answer should be decided based on your requirements and your short- and long-term plans for analytics. Start by leveraging existing capabilities such as standard reports and Excel, but don’t be limited by what you have. Experiment, and when you exhaust your capabilities look elsewhere. Find out what other audit organizations are using. There are many options, including Arbutus, Galvanize, Tableau, SaS, TeamMate Analytics, and many others.
The Fraud Risk Management (FRM) team should work closely with the IT section to ensure the implementation of analytics is successful. Most of the interaction with IT typically occurs in the context of software selection and data access and extraction. In part the extent of interaction depends upon the availability within the FRM function of technical expertise and data access and extraction software.
Regardless of the software package you choose, you should be using data analysis. You will need to plan and manage your adoption of analytics, and it will take time, resources, and technology, but the benefits are endless. It also must be integrated in every phase of the investigative process—including planning, field work, and reporting—and should be developed with an understanding of the business processes and the underlying data. It is easy to do it wrong, but worth doing right.
Process
Analytics is not something that is simply added to parts of an investigation. Analytics should be running before the potential fraud is being investigated – to perform fraud risk assessment and early identification. Analytics support the initial identification and assessment of fraud risk and the investigation of potential fraud by adding a layer of quantitative information to the qualitative information that is collected.
To achieve a high-level of benefits, the use of audit analytics needs to be integrated into the overall fraud risk management process. This means understanding at what point in the FRM cycle different forms of analytics are best utilized. It also means that the entire investigative team should be aware of when and how analytics are to be used, together with their own role in the process. Analytics can potentially be used in virtually every stage of the fraud risk assessment, planning, conduct, report, and follow-up. The following are the typical stages of the FRM process in which data analysis should be considered:
FRM planning: When automated analysis tests are run regularly within a given business process area, they can provide indication of fraud risk trends that can be used to determine whether an in-depth review is needed.
Fraud risk assessment: At the commencement of an investigation, data analysis can be used to examine entire populations of transactions in a business process area and identify areas of concern requiring specific focus
Controls testing: Data analysis tests can examine transactions to determine if all comply with the internal control rules that have been established. Analysis can also identify cases in which risks exist for which no effective control has been established. In cases where control weaknesses are identified, the full impact can be quantified.
Substantive procedures: Data analysis can often replace the need for sampling and be used to analyze entire populations for transactions or balances to identify anomalies and problem areas.
Reporting investigation findings: One of the key benefits of data analysis to the audit process is that the extent and impact of issues can be quantified with a high degree of precision. (For example, instead of reporting that a sample of purchase orders indicates proper approval processes are not always followed and contributed to fraud, investigators can state specifically that X purchase orders, with a total value of $Y, were fraudulently approved by managers.)
Continuous Monitoring: Automated repeatable data analysis tests can enable a continuous FRM process. An effective continuous auditing process can identify and measure changing levels of fraud risk. This can inform audit about when a review or investigation is necessary and free-up resources to focus on more complex high-risk areas requiring professional expertise.
Quality Assurance Review: the QAR process in place to assess the quality of investigations should be modified to include the assessment of the effectiveness of the use of analytics by each potential fraud investigation. At a minimum, every investigation should assess the applicability of analytics.
The following steps should be in place to make the use of analytics more efficient and continuous and better positioned to support the fraud risk management process.
Obtain access to data – ensure ongoing access to all information is in place, not just when an audit or investigation is being performed. Identifying and obtaining the data to support fraud analysis and testing is frequently the most time-consuming part of the process. It requires not only a determination of the required data elements but also the ability to extract these from an IT system. Having an ongoing ability to access, develop an understanding of, and use the data prior to a potential investigation will greatly reduce the time and effort. Once data is obtained, it is important to determine that the data is correct and complete before analysis is performed.
Develop and maintain queries to extract required data – safeguard and maintain the extract queries. As the use of data analysis expands, the processes for managing and maintaining data become more complex. Important issues include maintaining security over access to data, and managing the life cycle (acquire, use, maintain and dispose) aspects of the data.
Develop and verify analytics – use the results of audits, reviews, and investigations to validate the analytics and identify risks, control weakness, non-compliance, etc. that were identified by analytics. Data analysis tests range from relatively simple to complex. They can be intended for single time use to support a specific investigation or as fully automated routines run as part of a monitoring process. Standards for design, development, and maintenance of tests become increasingly critical as the levels of complexity and automation increase. There should be enough documentation to support ongoing usage, understanding of the analytics performed and management review.
When used during the fraud risk assessment stage, the validity of results should be determined. Errors in the test logic, assumptions, or coding should be identified and required made as part of a continuous review/improvement program.
Identify and re-run analytics on a regular basis – use previous results or frauds to determine which analytics should be re-run to assess management action on risk mitigation activities; and the analytics to run on a continuous basis to assess existing and identify emerging fraud risks. As organization progress in their use of FRM data analysis, the development of an FRM analytics library can make data analysis a sustainable and economic process that is also efficient and effective. The ideal is to have a well-managed and continually growing library of proven tests that can be applied in multiple audit areas. But you can start small by identifying a specific directory on the LAN and setting up proper access controls.
Assess new/emerging risks and data sources – use audits and other reviews to continually update the fraud risks and analytics to ensure that data sources, risk landscape and analytics reflect the current risk environment.
Using the template like the one below, the fraud risk identification process can clearly state the business process objective and identify the associated fraud risks and controls, analytics to test the controls, and the required data. The results are also linked back to the controls and fraud risks, so the mitigation actions are focused on the root cause of the risk – not the symptoms.
By tracking the ‘risk-analytic’ relationship, you can identify which analytics were successful and should be run on a periodic basis to provide a continuous fraud risk assessment and ensure that the fraud risk is current. These analytics can be used for follow-up on management action plans and incorporated into the continuous fraud risk assessment process.
Bottom Line
The value of implementing a fraud risk analytics capability has been proven time and again. Yet this undertaking should not be taken lightly. I’ve outlined a framework for building your own capabilities, however there is much to consider, and the time, costs (and people) will add up. These costs are the biggest barrier to implementation and have negatively impacted adoption. That’s why we founded CTRLmatters - a fraud analytics capability “in-a-box” so to speak. It allows you get be up and running quickly while you build your expertise.
Whether you implement your own fraud risk management framework, or utilize a solution like CTRLmatters, I encourage you to protect your enterprise and its stakeholders by putting a solid framework in place. The statistics show it’s well worth the effort.
Dave Coderre
Senior Data Analyst/Co-Founder
CTRLmatters.com
Comments