Back to newsletter

Helping Internal Auditors Reduce Fraud Risk

How accounts payable can rally to create a win

by Edward T. Arnold, Director of Vendor Risk Management, APEX Analytix

Even in the best of times, internal auditors have a full plate; however, ongoing economic uncertainty has put even more pressure on companies to get more done with less, and to scale back on budgets. That's particularly true in the internal audit function at many Fortune 500 companies. On the plus side, it represents an opportunity for staff in accounts payable to step up to the plate and help everyone sleep better at night.

Here's some solid evidence. According to a recent PriceWaterhouse Coopers (PwC) study of the internal audit function, some 85 percent of senior audit execs expect their budgets to remain flat or decline in 2011, while at the same time, internal auditors are being asked to take on non-traditional roles ranging from global risk management to forensic auditing.

For the last several years, audit staff resources have been stretched thin by the economy and down-sizing. Companies often use skeleton crews to perform operations that historically had much higher staffing volume. In addition, some individuals may lack updated skills needed to validate and verify information in the public domain, given the fact that much of the best information originates from paid sources.

Fraud gets overlooked

When it comes to uncovering fraud, only 17.6 percent surface as a result of internal audit at publicly held companies (11.6 percent at private companies) according to the 2010 Global Fraud Study by the Association of Certified Fraud Examiners (ACFE). Other eye-opening data from the ACFE:

• The typical organization loses 5 percent of its annual revenue to fraud, representing a total fraud loss of $2.9 trillion (using 2009 Gross World Product data as the measuring stick).
• The median loss from occupational fraud was $160,000, but nearly one in four frauds exceeds $1 million.
• Asset misappropriation schemes are the most common, at 90 percent of the cases uncovered. Thanks in part to Sarbanes Oxley, financial statement fraud is least common, at less than 5 percent -- But as you might expect, it can cause the most damage, with a median loss of just over $4 million.

One reason internal auditors can miss signals that indicate possible fraud is that traditional internal audits focus on verifying that controls are in place and operations adhere to established policies and procedures.

In reality, however, many fraudsters circumvent controls and bypass the scrutiny of a designated reviewer. Complex business practices, unique general ledger account design and other factors also make it difficult to cull atypical transactions from a large subset of "sampled" data.

Here are two recent situations that escaped detection by internal audit, but surfaced after a more detailed Vendor Risk Analysis by APEX Analytix:

• A client engaged a supplier to handle janitorial and maintenance work only to find out later that over $1 million in disbursements were mailed to the residence of an "owner" previously employed by the client.
• A client's supplier, although previously validated through Dun & Bradstreet, Hoovers and Lexis-Nexis, turned out to be involved in a clever kickback scheme. This surfaced through a Benford's evaluation, performed to highlight irregularities in the frequency distribution of numbers, that identified manipulation of billed amounts.

When it comes to auditing accounts payable, just analyzing the vendor master file and understanding the company's third-party relationships can consume significant audit resources. After all, the typical vendor master may contain thousands of records. That can eat up a lot of time and money quickly.

Technology can help

Half the companies PwC studied admitted less than 25 percent of their non-IT auditors have experience with the company's enterprise resource planning system, and only 28 percent reported using data-mining and data-analysis tools for more than 25 percent of their audit work. That's a significant technology skills gap that accounts payable can help address by recommending its own technology solutions.

An alternative to consider is outsourcing a risk assessment to APEX Analytix. That minimizes the front-end effort required to root out risk and allows internal audit or corporate security to focus on back-end research and validation to evaluate conflicts of interest, questionable business practices or outright fraud.

A vendor risk analysis involves a much deeper dive into the data compared to standard audit sampling approaches. An APEX Analytix Vendor Risk Analysis examines 100 percent of historical transactions, looking for payments to fictitious companies, vendors with conflicts of interest, kickback deals or "bad actors" on the Treasury Department's Office of Foreign Asset Control (OFAC) list. Retailers and companies with multiple locations or global-sourced vendors are particularly at risk.

APEX's FirstStrike^® and Vendor Risk Analysis tools have been refined and polished over the years, so that in addition to checking employee addresses and government watch lists, dozens of other suspect transaction items are flagged, including:

• Private mail service addresses.
• Prison addresses.
• Inconsistencies with Benford's Law (a mathematical test proven to identify expected distribution anomalies)
• Even dollar amounts.
• Consecutive invoice numbering.

Outsourcing a vendor risk analysis project saves audit resources and costs, compared to developing an in-house approach that may or may not be thorough enough. APEX Analytix has refined and tested its process across numerous commercial manufacturing, retail and Fortune 100 clients and proven the process to be a cost-effective alternative approach. 

Although the data capture, algorithms and reporting benefit from standardization, the software is flexible enough to allow "slicing and dicing" the data in a variety of ways to identify and score risks according to magnitude or materiality. That approach allows internal audit to zero-in on high-risk situations that call for staff expertise, while minimizing time spent on low-value activities like data manipulation and formatting. Among the benefits:

• Independent, proactive data mining to isolate fraud and identify other risks to the organization, based on user-defined parameters and composite scoring.
• An automated review and evaluation of 100 percent of two or three prior years of historical transactions and vendors, compared to the random sampling conducted by internal or external auditors.
• A comprehensive back-end effort to pursue risk areas identified from automated analysis.
• The ability to conduct different types of risk analysis based on transaction type (for example, evaluating Travel & Entertainment differently from standard transactions).
• Vendor master assessment and clean-up can be included in the engagement, to identify and eliminate the risk of duplicate payments or overpayments or other errors common in a consolidated vendor master file.
• A comprehensive report summarizing risk concerns, which often extend beyond outright fraud to include legal, environmental or reputational risks as well.

Accounts payable can add value

Partnering with internal audit gives accounts payable the opportunity to add value to the organization and step out of its traditional service function. And, since many schemes or frauds touch accounts payable directly -- check tampering, billing schemes, T&E abuses -- it makes sense for accounts payable to help internal audit build a case for implementing a cost-effective technology solution.

Internal auditors are bound to see the value in allocating resources to something else on their priority list. And of course accounts payable leadership benefits from the sleep-at-night assurance of knowing that they've done all they can to combat fraud and waste.

Once the annual audit project is complete, the next step to maximize efficiency and minimize losses is to flag suspect transactions as early in the process as possible. After all, it is much easier to detect and prevent fraud before a payment goes out the door than to recover an amount shelled out in error after the fact.

The most effective way to detect high-risk activity early is through automated monitoring of data in a company's accounts payable system. Even solid internal controls can fall short, because they are grounded in traditional, manual approaches that examine processes after the fact.

Many people think they are in the clear because they have internal controls in place. These certainly help -- but spot-checking invoices or payments periodically often allows fraud to fly under the radar, compared to examining every transaction as it occurs in real time. In effect, ongoing monitoring with a system like FirstStrike^® is like being vaccinated against a disease … find it and prevent it fast.

Edward T. Arnold, director of vendor risk management at APEX Analytix, has over 17 years of experience in the recovery audit industry, with a "hands-on" background in data acquisition and analysis, audit management and contract compliance. His earlier experience includes seven years in corporate accounting at Texaco, a Fortune 50 company. He holds a degree in accounting information systems from Pace University.