fraud detection using analytics
TRANSCRIPT
-
8/2/2019 Fraud Detection Using Analytics
1/37
Fraud detection using analytics
Topics
Objectives
Overview
Analytic procedures
Exercises
Continuous auditing
Summarization and wrap-up
Fraud detection using analytics - objectives
Topics
Course Objectives
Case study overview
Course materials
Exercises
Recommended sequence
Home
Detection and investigation of Fraud
This is a case study regarding a fictitious mail order company where an allegation of
fraud has been received. A SAS 99 brainstorming session was held, and 11 critical
expectations were developed during that brain storming session. The case study can
generally be completed in about four hours.
Upon completion of this case study, participants will:
Understand the application ofsummarization and why it is often useful tohighlight areas of possible concern
Learn how to readily identify audit outlier amounts Understand how to implement "matching" to identify critical exceptions See how to quickly check for gaps in numeric sequences
http://webcaat.org/moodle/mod/resource/view.php?id=590http://webcaat.org/moodle/mod/resource/view.php?id=590http://webcaat.org/moodle/mod/resource/view.php?id=591http://webcaat.org/moodle/mod/resource/view.php?id=591http://webcaat.org/moodle/mod/resource/view.php?id=592http://webcaat.org/moodle/mod/resource/view.php?id=592http://webcaat.org/moodle/mod/resource/view.php?id=593http://webcaat.org/moodle/mod/resource/view.php?id=593http://webcaat.org/moodle/mod/resource/view.php?id=594http://webcaat.org/moodle/mod/resource/view.php?id=594http://webcaat.org/moodle/mod/resource/view.php?id=609http://webcaat.org/moodle/mod/resource/view.php?id=609http://webcaat.org/moodle/mod/resource/view.php?id=301http://webcaat.org/moodle/mod/resource/view.php?id=301http://webcaat.org/moodle/mod/resource/view.php?id=304http://webcaat.org/moodle/mod/resource/view.php?id=304http://webcaat.org/moodle/mod/resource/view.php?id=303http://webcaat.org/moodle/mod/resource/view.php?id=303http://webcaat.org/moodle/mod/resource/view.php?id=318http://webcaat.org/moodle/mod/resource/view.php?id=318http://webcaat.org/moodle/mod/resource/view.php?id=302http://webcaat.org/moodle/mod/resource/view.php?id=302http://webcaat.org/moodle/course/view.php?id=13http://webcaat.org/moodle/course/view.php?id=13http://webcaat.org/moodle/mod/resource/view.php?id=302http://webcaat.org/moodle/mod/resource/view.php?id=318http://webcaat.org/moodle/mod/resource/view.php?id=303http://webcaat.org/moodle/mod/resource/view.php?id=304http://webcaat.org/moodle/mod/resource/view.php?id=301http://webcaat.org/moodle/mod/resource/view.php?id=609http://webcaat.org/moodle/mod/resource/view.php?id=594http://webcaat.org/moodle/mod/resource/view.php?id=593http://webcaat.org/moodle/mod/resource/view.php?id=592http://webcaat.org/moodle/mod/resource/view.php?id=591http://webcaat.org/moodle/mod/resource/view.php?id=590 -
8/2/2019 Fraud Detection Using Analytics
2/37
Understand and apply Benford's Law to items such as revenue, for the purposeof determining reasonableness
Know how to quickly identify all types ofduplicates Extract just transactions with errors, according to auditor provided
specifications
Isolate transactions with round numbers for further review Be able to check logs for transactions initiated during non-business hours Know how to summarize time line data using ageing in order to spot unusual
trends
Check that separation of duties controls are effectiveHow this is done
Recommended steps are as follows:
Read the narrative in order to gain an understanding of the environment beingaudited (or watch to short video overview)
Optionally, download thecase study data (Excel 2003 workbook) - however allthe data needed is available online
Select any or all of the short videos which demonstrate possible audit solutions Test your knowledge by re-performing the audit procedures (or using
alternative methods)
Hikers 'R Us Case StudyRecommended sequence
Recommended steps are as follows:
Follow the steps, item by item, in the course outline Read thenarrativein order to gain an understanding of the environment being
audited (or watch to short video overview)
Optionally, download thecase study data (Excel 2003 workbook) for review(however, this step is not required because all the data is available online)
Select any or all of the short videos which demonstrate possible audit solutions Test your knowledge by re-performing the audit procedures (or using
alternative methods)
http://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Customer_Refund.xls -
8/2/2019 Fraud Detection Using Analytics
3/37
Course materials
All of the course materials are available on-line. These are included as links in the
course material.
Thefinal moduleat the end of the course also includes a number of links to otherreferences of possible interest.
The online course material consists of simulated vendor and employee data suitablefor audit testing. The data is contained on a cloud server in a database. In order to
access this data, a proper user id and password must be provided. The user id for the
Fraud Detection course is "hru1" with a password of "hru1". The name of the
database to be specified is "hru". All of this information is provided without the
quotes and is case sensitive.
The login form is shown below.
http://webcaat.org/moodle/mod/resource/view.php?id=336http://webcaat.org/moodle/mod/resource/view.php?id=336http://webcaat.org/moodle/mod/resource/view.php?id=336http://webcaat.org/moodle/mod/resource/view.php?id=336 -
8/2/2019 Fraud Detection Using Analytics
4/37
Once a login has been successfully completed, a table should be selected from the
drop down list. This form appears as follows.
The course uses seven database tables as follows:
AR (customer receivables)
Call_Center (Call Center transactions)
Customer_Service (Customer Service authorizations)
Employee (Employee master file)
Refunds (Refunds issued)
Revenue (Sales transactions)
Treasury (Authorizations by the Treasury department
-
8/2/2019 Fraud Detection Using Analytics
5/37
Case study exercises
"I hear and I forget. I see and I remember. I do and I understand." - Confucius
Overview
Performing exercises reinforces the concepts taught and better ensures that the auditor
will be able to apply the concepts learned in future audits.
Structure
Concepts are presented and discussed. Then an example of how to apply the concept
is presented. Following this an example exercise with instructions is presented in
order to test the participant's understanding of the concepts. Finally, the answer to the
exercise is also presented in order to compare the results obtained by the participant
with the suggested procedure.
Watching the exercise
When tutorials are presented, they may be accompanied by a video. These videos
have a control bar at the bottom of the video to navigate and control how the video is
presented. Click on the link below to view the process to control the videos using the
control bar.
Narration (2:03)
Fraud_Detection_Exercises_video.mp4
http://fraud_detection_exercises_video.mp4/http://fraud_detection_exercises_video.mp4/http://fraud_detection_exercises_video.mp4/ -
8/2/2019 Fraud Detection Using Analytics
6/37
Case study overview
Hikers 'R Us Narrative
Overview
Founded in 1978, Hikers R Us is the premier mail order firm supplying a wide range of qualityhiking and camping supplies and equipment. Almost all of the items are sold through mail order
to customers in the United States and Canada. The goods are imported from China. Hikers R Ushas been profitable for some time. They have transitioned from doing business on paper through
several computer based systems.
Refund Policy
Hikers R Us has a very liberal return policy so they will accept returns for almost any reason.Returns have historically been low at around 1% of sales. A recent routine audit of sales returns
did not disclose any weaknesses or errors. Although revenues have been flat, returns have beensteadily increasing.
System Operations
The company uses the enterprise software from the Mexican software company Sapo. (Sapomeans toad in Spanish). Controls over cash refunds are very tight. First, the software system
itself performs extensive checking and cross-checking at every step in the refund process. Thecomputer system is housed in a highly secured area and physical access is severely limited.
The refund process begins when a customer contacts the call center in Leland, North Carolina.
Call center hours are 8:00 a.m. to 5:00 p.m. on business days typically Monday through Fridayand excluding holidays. Calls come through an automated voice recording system where the
customer enters their account number. When a call center representative takes the call, the
customers account is brought up immediately in the Sapo system and the representative canverify that the purchase was made. The call center representative then completes a form 2134
Customer Refund Quest. The original is a white page, which is filed in the Call Center in
numerical order. The yellow copy is forwarded to the Customer Service center where it is filed in
the customers account file. The third copy, pink, is sent to the Treasury Department. Sapo
includes a state of the art work flow system. The system logs all of the activity.
The work flow system assigns the call center information randomly to one of twenty customer
service center representatives. (Customer service center representatives are separate from the callcenter staff). Each customer service center representative logs onto the Sapo system andexamines their work queue which consists of customer refund requests. The customer service
center representative then pulls the yellow copy of the refund request from the customers file,verifies that the customer information is correct and then checks that the order refund request is
appropriate considering the purchase date and amount. The Sapo system maintains a history ofaccount activity for each customer.
-
8/2/2019 Fraud Detection Using Analytics
7/37
Once the customer service center representative has completed the review, the yellow copy is
signed, dated and initialed and then returned to the customer file. The work queue is markedcomplete and the Sapo system then assigns the request to a random employee in the Treasury
department for review and final approval.
The Treasury department is located in Ocracoke, North Carolina. They receive the pink copy ofthe customer refund request, which is faxed from Leland. When each employee in Ocracoke logs
on the Sapo system, they review their work queue to see the customer refund requests that havebeen assigned to them by the system. Each request in the system is then matched against the
faxed pink copy and the amounts are verified against the Sapo customer history file. They then
initial and date the fax form and file it in sequential order. When complete, they approve therefund request in the work queue system. The next business day after the refund request has been
approved, checks are printed, burst, stuffed and mailed from the data center in Charlotte, North
Carolina.
Hot Line
The company has a hot line and recently received a number of calls (all but one wereanonymous) that an inside ring was stealing fairly significant amounts of money using the refund
process. Hikers R Us recently implemented their Window to the World policy that all fraud
allegations would be detailed and publicized so that their shareholders, employees and vendorswould be able to see all allegations. This would serve as a deterrent to any fraudsters.
You contacted the one identified person making the allegation and found that he is now
completely uncooperative. All he would say is that as an employee, he is unhappy because
despite working hard, he has not gotten a raise in years. He also said he has spotted two Porsches
and three Hummers in the company parking lot that were not there before and wonders how
employees can afford these.
Refund Supervisor
The supervisor of refunds informs you that there is no problem. With the economy in bad shape,people are cutting back on camping, but now seem less reluctant to ask for a refund. He said
some customers are definitely taking advantage of the liberal refund policy. He is also annoyed
that you are even asking about this, stating that he was just audited by Poe, Pollock and
Cartwright, a small regional auditing firm. The audit proved there were no problems. Due toforced cutbacks his staff is now working overtime. With all that is going on he asks that any
further questions be cancelled or deferred.
Management Request
Management also doesnt think there is a problem, but they would like for you to take a look.
Youve decided to set up a brain storming session using the guidelines of SAS 99 and
suggested brainstorming approaches such as those recently published (selected articles on CD).
-
8/2/2019 Fraud Detection Using Analytics
8/37
The brain storming sessions have been fruitful and identified a number of potential fraud risk
areas:
Collusion in refund approvals Refunds made to employees
Duplicate refunds Refunds in excess of the purchase amount
As a result of those brain storming sessions, the following expectations have been set out:
1. Because call center contacts are assigned randomly, each call center employee shouldhave roughly the same number of customer authorizations
2. The refund process typically takes 46 days from start to finish. There should be fewinstances where the timeline is different
3. There should be few refunds made to employees4. The Sapo system log of check numbers issued should contain no gaps5.
Because the refund amounts are based on actual sales, they should follow the patternexpected using Benfords law
6. There should be no duplicate refunds7. There should be no refunds which exceed the purchase costs8. Because refunds are based on actual sales, there should be few round number amounts9. Since the call center is only open during regular business hours there should be no
approvals outside those hours
10.There should be a close correlation between sales and refunds11.The separation of duties system is working as intended
IT Department
The computer division has a special group of analysts - Online Sales Consultants (OSC) who
routinely monitor the Sapo transactions in order to identify marketing trends, businessopportunities, etc. They have provided you with all the data for the last quarter. This data
consists of about 10,000 transactions which have been loaded into an Excel workbook and
broken out into five work sheets as follows:
1. Cusromer Refund
2. Call Center
3. Treasury
4. Accounts Receivable
5. Employee
Mission
-
8/2/2019 Fraud Detection Using Analytics
9/37
Your mission, should you decide to accept it, is to look at these transactions and provide an
independent assessment to management regarding fraud risk.
Hintthere are too many transactions to perform a manual review.
Tasksusing the data provided, go through the risk areas identified. Determine if there are anyfraud indicators which might merit a further investigation.
Data in the Excel Work Book
The work book consists of six work sheets:
Employeeinformation about each employee, including name and address
Call Centerhas a log of activity:
CallDate
Call Time Call Employee Customer Amount
ARaccounts receivable history information
Customer Refund amount Call Employee
Customer Balance
Treasuryinformation from the refund disbursements log, combined with customer refundinformation
Customer Refund amount Authorization Check Date Check Number Customer last name
Customer first name Customer street address Customer City Customer State
Customer Servicelogs from the customer service center
Customer
-
8/2/2019 Fraud Detection Using Analytics
10/37
Refund amount Authorizer Authorization date Authorization time Customer last name
Customer first name Customer street address Customer City Customer State
RefundsAll of the information above (except employee information) has also been combinedonto a single worksheet, should you wish to work with one worksheet instead of many.
Getting Started
For each of the eleven expectations, design a test to determine if the expectation has been met or
not. For example, the first expectation is that because the calls are assigned randomly in the callcenter, there will be about the same number of calls handled by each employee.
Whether this is, in fact, the case, could be determined by preparing a summary of refunds byemployee.
Each of the other expectations can be checked using one or more of the tools discussed duringthe session.
Possible approaches for checking expectations.
Expectation 1
1. Because the call center uses an automated system, each employee should be handling roughly
the same number of customer calls over the period of review.
Summarize call center log records by employee. Examine counts.
Expectation 2
2. The refund process typically takes 46 days from start to finish. There should be few
instances where the timeline is different
One approach is to prepare a data stratification based upon the number of elapsed days contained
in each transaction. This can be done either as a single step or as a two step process.
The two step process would involved having the system make a calculation as to the number of
days elapsed. The second step would be to do a data stratification using this calculated amount.
The single step process involves doing a data stratification on the calculated amount.
-
8/2/2019 Fraud Detection Using Analytics
11/37
Expectation 3
3. There should be few refunds made to employees
This test can be performed by doing a match on last name and first name between the employee
master and the treasury log of checks issued. This will require the use of a macro and SQL codeto perform the match.
The SQL code should match up the work sheets Employee and Treasury in order to identify any
instances where two rows exist which meet the following conditions:
Same customer number
Employee last name is same as customer last name
Employee first name is same as customer first name
Expectation 4
4. The Sapo system log of check numbers issued should contain no gaps
A simple check is to run a gap test on the checks issued by the Treasury department. The check
would be made using the check number.
Expectation 5
5. Because the refund amounts are based on actual sales, they should follow the pattern expected
using Benfords law
This test can beperformed using Benfords law on the refund amounts. It may also be instructiveto run a pattern analysis using Benfords law, be employee to determine if any employees have
refunds whose Benford pattern differs significantly from that which is expected.
Expectation 6
6. There should be no duplicate refunds
Potential duplicates can be identified by specifying the names of the columns to be tested. For
example, customer, refund amount. Another example might be customer, check date.
Expectation 7
7. There should be no refunds which exceed the purchase costs
The refund amount (column E on the Combined work sheet) should always be less than the
customer balance (column F).
-
8/2/2019 Fraud Detection Using Analytics
12/37
Expectation 8
8. Because refunds are based on actual sales, there should be few round number amounts
This can be tested using the round number analysis. Also, a pattern test can be used for
differences in round number amounts between customer service representatives. This test willidentify if any employee has a pattern of round number refunds which differs significantly fromthose of all other employees.
Expectation 9
9. Since the call center is only open during regular business hours there should be no approvalsoutside those hours
One check that can be performed is to look for transaction approvals outside normal business
hours. Several tests are available, such as population statistics and data extraction.
Expectation 10
10. There should be a close correlation between sales and refund
Possibly the first step is to simply plot the aggregate sales and refunds by day or week to
determine the overall trend, and correlation, if any.
This step can be refined by looking at individual employees, possibly focusing on those with the
largest dollar amount of refunds.
Expectation 11
11. The separation of duties system is working as intended
One test that could check for separation of duties is to check for any of the following conditions:
Check for call center employee = customer service employee
Check for call center employee = treasury employee
Check for treasury employee = customer service employee
All three department employees are the same
It is also possible to determine instances of potential collusion by determining if any particular
combination of approvers is much more common than the rest. This can be done by summarizingrefunds by all three employees. The results of the summary, expressed as counts, can then be
sorted in descending order. From this list, it can be determined if any one combination (or group
of combinations) is much more prevalent than would be expected.
-
8/2/2019 Fraud Detection Using Analytics
13/37
Investigation objectives
Audit Objectives
The SAS 99 brain storming session identified eleven expectations. Each of theseexpectations should be tested. The eleven objectives are summarized below, each with
a link to a brief tutorial explaining how the audit objective can be met.
Expectation - 1
Because the call center uses an automated system, each employee should be handling
roughly the same number of customer calls over the period of review.
Expectation - 2
As the refund process is largely automated, the length of time from when the call
comes in until the refund is issued will be 4 - 6 business days.
Expectation - 3
Most employees can purchase hiking goods at a substantial discount through a payroll
deduction plan. Because these terms are very attractive, refunds are not made to
employees. It is expected that very few, if any, employees will receive refunds.
Expectation - 4
Because the disbursement system is almost 100% automated, the check register
should be complete with no gaps in check numbers of refunds issued.
Expectation - 5
Because the refund amounts are the result of computations, their distribution should
generally follow that expected using Benford's Law.
Expectation - 6
Because of all the validation controls in the system, there should be no duplicate
refunds issued to customers.
Expectation - 7
-
8/2/2019 Fraud Detection Using Analytics
14/37
As the system is automated, there should be no instances where a customer is
refunded an amount greater than the amount the customer actually paid for the goods.
Expectation - 8
because of the pricing amounts and sales tax, it should be quite unusual for there to beround numbers in refund amounts.
Expectation - 9
As the business is open only during standard business hours, there should be few, if
any, approvals outside of normal business hours.
Expectation - 10
As refunds tend to lag sales, there should be a general correlation between sales andrefunds, particularly as to trends.
Expectation - 11
The key control of separation of duties is enforced by the system and should be
operating as intended.
-
8/2/2019 Fraud Detection Using Analytics
15/37
Performing Analytical Procedure
The decision as to which type of analytical procedure is appropriate for a particular
type of analysis can be facilitated by the decision tree shown below. Starting the first
row, answer each question with either a Yes or a no and then proceed to the next step.
Steps consist of numbers and procedures are identified by letters. Following thisprocess, a potential analytical procedure applicable to a particular investigative
objective may be helpful.Note that the procedures covered in this coure are highlighted in green at the bottom.
Step Question Yes No
1 Analysis is primarily based upon amounts? 6 2
2 Analysis is primarily based on dates? 8 10
3 Analysis based upon classification of amounts? 21 4
4 Analysis based on characteristics of numbers? 11 146 Is the primary objective related to planning? 14 7
7Is the primary objective related to identificationof specific error conditions
A 3
8Are there specific dates or days of the week ofinterest?
9 18
9 Are transactions on holidays needed? H I
10 Will tests for duplicates meet objectives? B 18
11 Will round numbers play a significant role? Q 12
12 Test for "made up" numbers? J 13
13Will extreme values be helpful - largest or
least?M 24
14 Data summarization needed? S 15
15 Control totals needed? R 16
16 Overall classification of the population? 21 17
21 Classification with "by" variable K 22
22 Stratification by numeric ranges? L N
17 Selection of a random sample P V
18 Can ageing analysis support the objective? 19 20
19 Overall population ageing helpful? C D
20 Test for missing dates? E 23
23Looking for transaction within specific date
rangesF,G V
24 Check for missing numeric sequence values O 25
-
8/2/2019 Fraud Detection Using Analytics
16/37
25 Will tests for linear relations help? T 26
26Can testing for same, same, different beapplied?
U V
- Analytic Procedures
A Data extractB Duplicates
C Ageing
D Ageing by Value
E Date Gaps
F Date Near
G Date Range
H Holiday Dates
I Date Selection
J Benford's Law
K Cross Tabulation
L Data stratification
M Extreme Values
N Histogram
O Numeric Sequence Gaps
P Random Sample
Q Round Numbers
R Statistics
S Summarization
T Linear regression
U Same, Same, different
V Single SQL Statement
-
8/2/2019 Fraud Detection Using Analytics
17/37
Analytic procedures
The types of analytic procedures that could be used will vary based upon the
objectives of the investigation. Outlined below are some of the key types of analytics
that could be deployed.
Expectation - 1
Because the call center uses an automated system, each employee should be handling
roughly the same number of customer calls over the period of review.
Summarization procedure.
Expectation - 2
As the refund process is largely automated, the length of time from when the call
comes in until the refund is issued will be 4 - 6 business days. Data extraction.
Expectation - 3
Most employees can purchase hiking goods at a substantial discount through a payrolldeduction plan. Because these terms are very attractive, refunds are not made to
employees. It is expected that very few, if any, employees will receive refunds. Data
extraction.
Expectation - 4
Because the disbursement system is almost 100% automated, the check register
should be complete with no gaps in check numbers of refunds issued. Sequence gaps.
Expectation - 5
Because the refund amounts are the result of computations, their distribution should
generally follow that expected using Benford's Law.
Expectation - 6
Because of all the validation controls in the system, there should be no duplicate
refunds issued to customers. Duplicates.
Expectation - 7
As the system is automated, there should be no instances where a customer is
refunded an amount greater than the amount the customer actually paid for the goods.
Data extraction.
Expectation - 8Because of the pricing amounts and sales tax, it should be quite unusual for there to be
round numbers in refund amounts. Round numbers.
Expectation - 9
As the business is open only during standard business hours, there should be few, if
any, approvals outside of normal business hours. Data extraction.
-
8/2/2019 Fraud Detection Using Analytics
18/37
Expectation - 10
As refunds tend to lag sales, there should be a general correlation between sales and
refunds, particularly as to trends. Trend lines.
Expectation - 11
The key control of separation of duties is enforced by the system and should be
operating as intended. Data extraction.
-
8/2/2019 Fraud Detection Using Analytics
19/37
Data structureData for Hikers 'R Us is contained in seven tables which are more fully described
below. The tables are:
1. Refunds2. Accounts Receivable3. Call Center Employees4. Treasury (Paid refund checks)5. Call Center activity6. Customer Service7. Revenue
Refunds
Field Type Null Key Default Extra
Call_Date date Date the call came in
Call_Time time Time the call came in
Call_Center_Employee varchar(50)Initials of the call center
employee
Customer varchar(50) Customer number
Amount decimal(10,2) Amount of refund
Customer_Balance decimal(10,2)
Balance on customer's
account
Treasury_Auth varchar(50) Approval id in Treasury
Check_Date date Date of refund check
Check_Number int(11) Refund check number
Lastname varchar(50) Customer last name
Firstname varchar(50) Customer first name
Address varchar(50) Customer street address
City varchar(50) Customer City
CSState varchar(5) Customer State
Cust_Serv_Auth varchar(50)Customer Service
Approver
CS_Auth date Date of authorization
Auth_Time time Time of authorization
-
8/2/2019 Fraud Detection Using Analytics
20/37
Sales_date date Date of sale
Accounts Receivable
Field Type Null Key Default Extra
Customer varchar(20) Customer numberRefund_Amount decimal(10,2) Refund Amount
Customer_Balance decimal(10,2)Customer account
balance
Call Center Employees
Field Type Null
LASTNAME varchar(50) Employee last name
FIRSTNAME varchar(50) Employee first name
MIDNAME varchar(50) Employee middle initialDOB date Date of birth
ADDRESS varchar(50) Address
CITY varchar(50) City
ESTATE varchar(50) State
ZIP varchar(50) Zip Code
Phone varchar(50) Telephone number
Call Center Activity
Field Type Null Key Default Extra
Call_Date date Date call came in
Call_Time time Time call came in
Call_Employee varchar(20) Employee initials
Customer varchar(20) Customer number
Amount decimal(10,2) Refund amount
Sales_Date date Sales dates
Customer Service
Field Type Null Key Default Extra
Customer varchar(20) Customer number
Refund_Amount decimal(10,2) Refund amount
Auth varchar(20) Approver id
Auth Date date Approval date
-
8/2/2019 Fraud Detection Using Analytics
21/37
Auth Time time Approval time
Revenue
Field Type Null Key Default Extra
Customer varchar(20) Customer numberInvoice_Amount decimal(10,2) Invoice amount
Auth varchar(20) Approver
Sales_Date date Invoice date
Invoice_Number integer Invoice number
Last_Name varchar(20) Last name
First_Name varchar(20) First name
Address varchar(20) Address
City varchar(20) City
State varchar(20) State
ZIP varchar(20) Zip Code
Phone varchar(20) Phone number
Treasury
Field Type Null Key Default Extra
Customer varchar(20) Customer number
Refund_Amount decimal(10,2) Refund amount
Auth varchar(20) Approver
Check_Date date Refund check date
Check_Number int(11) Refund check number
Last_Name varchar(20) Customer last name
First_Name varchar(20) Customer first name
Address varchar(20) Customer address
City varchar(20) Customer city
State varchar(20) Customer StateZIP varchar(20) Customer zip code
Phone varchar(20) Phone number
-
8/2/2019 Fraud Detection Using Analytics
22/37
Summarization as an analytical toolData summarization can be an effective analytical tool which is very useful in fraud
investigations. There is one investigation objective which can be met using
summarization:
Expectation - 1
Because the call center uses an automated system, each employee should be handling roughly the
same number of customer calls over the period of review.
Click on the video link below to see an overview of the process to summarize data
Length 3:00
Fraud_Detection_Summarization_su1.mp4
Click on the video link below to see a demonstration of the process to summarize
data Length 4:39
Fraud_Detection_Summarization_su2.mp4
http://fraud_detection_summarization_su1.mp4/http://fraud_detection_summarization_su1.mp4/http://fraud_detection_summarization_su2.mp4/http://fraud_detection_summarization_su2.mp4/http://fraud_detection_summarization_su2.mp4/http://fraud_detection_summarization_su1.mp4/ -
8/2/2019 Fraud Detection Using Analytics
23/37
Data extraction as an analytical toolData extraction is a powerful analytical tool which is very useful in fraud
investigations. It allows for the testing of specified conditions on a 100% basis. There
are three expectations which can be tested using data extraction.
Expectation 2
As the refund process is largely automated, the length of time from when the call comes in until
the refund is issued will be 4 - 6 business days.
Expectation 3
Most employees can purchase hiking goods at a substantial discount through a payroll deductionplan. Because these terms are very attractive, refunds are not made to employees. It is expected
that very few, if any, employees will receive refunds.
Expectation 7
As the system is automated, there should be no instances where a customer is refunded anamount greater than the amount the customer actually paid for the goods.
Click on the video link below to see a demonstration of the data extraction process.
Length 3:31
Fraud_Detection_Data_extraction_de.mp4
Data extraction for the purpose of identifying errors.
Length 4:16
Fraud_Detection_Data_extraction_de2.mp4
http://fraud_detection_data_extraction_de.mp4/http://fraud_detection_data_extraction_de.mp4/http://fraud_detection_data_extraction_de2.mp4/http://fraud_detection_data_extraction_de2.mp4/http://fraud_detection_data_extraction_de2.mp4/http://fraud_detection_data_extraction_de.mp4/ -
8/2/2019 Fraud Detection Using Analytics
24/37
Selection of round numbersRound numbers are often an indication of estimates, which may or may not be
appropriate, depending upon the circumstances. In some cases, round number
amounts are a "red flag" There is one investigation objective which can be met by
testing for round numbers.
Expectation - 8
Because of the pricing amounts and sales tax, it should be quite unusual for there to be
round numbers in refund amounts.
Click on the video link below to see audit uses for round number tests.
Length 2:19
Fraud_Detection_Selection_of_round_number_transactions_rn.mp4
Click on the video link below to see a demonstration of the process to identify round
numbers.
Length 3:17
Fraud_Detection_Selection_of_round_number_transactions_rn2.mp4
http://fraud_detection_selection_of_round_number_transactions_rn.mp4/http://fraud_detection_selection_of_round_number_transactions_rn.mp4/http://fraud_detection_selection_of_round_number_transactions_rn2.mp4/http://fraud_detection_selection_of_round_number_transactions_rn2.mp4/http://fraud_detection_selection_of_round_number_transactions_rn2.mp4/http://fraud_detection_selection_of_round_number_transactions_rn.mp4/ -
8/2/2019 Fraud Detection Using Analytics
25/37
Trend line analysis - spotting the unusual (2:57)
Trend lines indicate the norm or expectation. Fluctuations, "spikes" etc. can indicate a
"red flag" which should be investigated. There is one investigation objective which
can be met using trend lines:
Expectation - 10
As refunds tend to lag sales, there should be a general correlation between sales and refunds,
particularly as to trends.
Trend line analysis can be done by first summarizing data by date using the ageing function and
then comparing and plotting that data using Excel.
Click on the video link below to see a demonstration of the process to summarize data.
Length 2:27
Fraud_Detection_Trend_analysis_spotting_the_unusual_2_57_tr0.mp4
Gaps - what you see is interesting, what you
DON'T see is criticalGaps in numeric sequences (or date sequences) can indicate missing data. There is one
investigation objective which can be met using gaps:
Expectation - 4
Because the disbursement system is almost 100% automated, the check register should becomplete with no gaps in check numbers of refunds issued.
Click on the video link below to see a demonstration of the process to identify missing document
numbers through the use of the numeric sequence gaps function.
Length 2:29
Fraud_Detection_Gaps_what_you_see_is_interesting_what_you_DON_T_see_is_crit
ical_2_29_gp0.mp4
http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/ -
8/2/2019 Fraud Detection Using Analytics
26/37
Odd hour transactionsTransactions performed at odd hours should also be investigated, in many cases.
There is one investigation objective which can be met using tests based upon
transaction times:
Expectation - 9
As the business is open only during standard business hours, there should be few, if any,
approvals outside of normal business hours.
Click on the video link below to see a demonstration of the process to check for specific
transaction times.
Length 3:34
Fraud_Detection_Odd_hour_transactions_3_34_time.mp4
Liars and outliersOften the largest (or smallest) transactions are of interest. Although there is no
specific investigation objective involving the identification of largest amounts, this
information is often useful.
Identify the five largest and smallest invoices. Secondarily, narrow the test to invoices
originating from vendors in California.
Click on the video link below to see a demonstration of the process of identifying the largestamounts from a population of transactions or other data.
Length 4:00
Fraud_Detection_Liars_and_outliers_4_00_ol.mp4
http://fraud_detection_odd_hour_transactions_3_34_time.mp4/http://fraud_detection_odd_hour_transactions_3_34_time.mp4/http://fraud_detection_liars_and_outliers_4_00_ol.mp4/http://fraud_detection_liars_and_outliers_4_00_ol.mp4/http://fraud_detection_liars_and_outliers_4_00_ol.mp4/http://fraud_detection_odd_hour_transactions_3_34_time.mp4/ -
8/2/2019 Fraud Detection Using Analytics
27/37
Benford's Law - looking out for number oneBenford's law is a classic approach to the identification of "made up" amounts. There
is one investigation objective which can be met using Benford's Law:
Expectation - 5
Because the refund amounts are the result of computations, their distribution should generally
follow that expected using Benford's Law.
Click on the video link below to see a an overview of Benford's law.
Length 8:29
Fraud_Detection_Benford_s_Law_looking_out_for_number_one_8_29_ben.mp4
Click on the video link below to see a demonstration of the process to test the
application of Benford's law.
Length 2:51
Fraud_Detection_Benford_s_Law_looking_out_for_number_one_8_29_ben1.mp4
http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben1.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben1.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben1.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben.mp4/ -
8/2/2019 Fraud Detection Using Analytics
28/37
EXERCISE 1 - SUMMARIZATION
The first expectation was that the number of refunds issued would be roughly the
same per customer service representative because the system has an automated system
for assignment of calls to representatives and each representative would spendapproximately the same time with each customer, on average.
This expectation can be tested by summarizing the refund amounts by call center
representative and looking at the results obtained. In order to do this, the following
steps should be taken:
1. Browse to the URLhttp://webcaat.org/webcaat/2. Sign into the system using the id 'hru1' and the password 'hru1'3. Specify a database of 'hru' (not test)4.
Click the "sign in" button5. Select the table 'Refunds' from the drop down list
6. Select the menu item 'Numeric functions | Summarization'7. Enter the information in to be summarized8. Click the "Process" button9. View the results
Were the results as you expected?
Which employee had the largest number of transactions and dollar amount of
transactions?
Were they significantly different from the others?
What plausible explanations are there be for this?
Answer to exercise
Next exercise
http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/moodle/course/modedit.php?update=321http://webcaat.org/moodle/course/modedit.php?update=321http://webcaat.org/moodle/course/modedit.php?update=322http://webcaat.org/moodle/course/modedit.php?update=322http://webcaat.org/moodle/course/modedit.php?update=322http://webcaat.org/moodle/course/modedit.php?update=321http://webcaat.org/webcaat/ -
8/2/2019 Fraud Detection Using Analytics
29/37
Exercise 1 - Data Summarization (answer)
Click the video below to see the answer to this exercise. Length 3:12
Fraud_Detection_Answer_Exercise_1_3_12_ex1.mp4
http://fraud_detection_answer_exercise_1_3_12_ex1.mp4/http://fraud_detection_answer_exercise_1_3_12_ex1.mp4/http://fraud_detection_answer_exercise_1_3_12_ex1.mp4/ -
8/2/2019 Fraud Detection Using Analytics
30/37
Exercise 2 - Data extraction
Data extraction can be used to check several of the expectations. The first of these
expetctations are that the number of elapsed business days is 4 - 6 for refund checks to
be issued once the refund request has come in.
This expectation can be checked by having the system examine the elapsed days
between the date the check is issued and the date that initial request was received and
approved in a phine call.
In order to determine the number of elapsed days between two dates, the built in
MySQL function "datediff" can be used.
To make this determination use the menu item "Numeric Functions|Statistics" and
enter the following information into the "where (criteria) box:
datediff(Check_Date,Call_Date) not between 4 and 6.
This statement, in English, means summarize all the refund amounts where the
difference between the check date and the call date were not between 4 and 6.
After you have run this test, provide the following information.
How many transactions did not have a check issued within 4 - 6 days after the call
date?
How many were earlier?
Were there any transactions that seem highly unusual? Why?
Answer - Exercise 2 (Length of time for refunds) (4:59)
Length 4:59
Fraud_Detection_Answer_Exercise_2_4_59_ex2.mp4
http://fraud_detection_answer_exercise_2_4_59_ex2.mp4/http://fraud_detection_answer_exercise_2_4_59_ex2.mp4/http://fraud_detection_answer_exercise_2_4_59_ex2.mp4/ -
8/2/2019 Fraud Detection Using Analytics
31/37
Exercise 3 - Round numbers
There was an expectation that refund amounts should generally not be round numbers
because the amount of the refund is based on the actual sales price plus tax and
shipping.
This can be tested using the following steps:
1. Sign in to the Web CAAT application athttp://webcaat.org/webcaat/2. Select the table "Refunds"3. Use the menu item "Numeric tests | round numbers"4. Test the refund amount5. Click "Process"
How many round number refund amounts were there?
Answer - Exercise 3 Round numbers
Click on the link below to see the exercise done.
Length 2:20
Fraud_Detection_Answer_Exercise_3_2_20_ex3.mp4
http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://fraud_detection_answer_exercise_3_2_20_ex3.mp4/http://fraud_detection_answer_exercise_3_2_20_ex3.mp4/http://fraud_detection_answer_exercise_3_2_20_ex3.mp4/http://webcaat.org/webcaat/ -
8/2/2019 Fraud Detection Using Analytics
32/37
Exercise 4 - Trend Analysis
One of the expectations was that there should be a general correlation between the
number and amount of refunds and the amount of sales. This is based upon the
reasoning that the percentage of refunds will tend to remain constant.
One of the tests for this is to simply see what the trend has been for sales over the
recent period and then compare that trend with refunds which have been issued.
This can be accomplished using the ageing function and the following steps:
To determine the refund trend:
1. Sign on to the system athttp://webcaat.org/webcaat/2. Select table "Refunds"3. Age the refund amount by date, e.g. Call date4. Use the refund amount as the basis for ageing5. Select an ageing date of '2008-06-30'6. Select an ageing bucket of 307. Run the report
To determine the sales trend:
1. Select the Revenue table2. Age revenue transactions based on sales date3. Use criteria similar to that used for Refunds4. Run the report
What was the trend for Sales?
What was the trend for Refunds?
Does any of this seem suspicious? Why?
Answer - Exercise 4 Trend line analysis
Length (6:26)
Fraud_Detection_Trend_analysis_spotting_the_unusual_2_57_tr0.mp4
http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://webcaat.org/webcaat/ -
8/2/2019 Fraud Detection Using Analytics
33/37
Exercise 5 - Gaps
Because the company uses an automated system to issue refund checks, they have the
expectation that the refund checks are issued using sequentially numbered checks.Thus, one of the expectations is that a test of the check numbers for refund checks will
not disclose any missing check numbers. This can be tested by using the following
procedure:
1. Sign in to the system athttp://webcaat.org/webcaat/(id 'hru1' , password 'hru1'and database 'hru'
2. Select the table named "Refunds"3. Use the menu item "Numeric functions | Numeric Sequence Gaps"4. Select the numeric column which has the value to be tested (check number)5. Click "Process"
What did your analysis show?
Is the system working properly?
Answer - Exercise 5 Gaps (2:04)
Length 2:04
Fraud_Detection_Answer_Exercise_5_2_04_ex4.mp4
http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://fraud_detection_answer_exercise_5_2_04_ex4.mp4/http://fraud_detection_answer_exercise_5_2_04_ex4.mp4/http://fraud_detection_answer_exercise_5_2_04_ex4.mp4/http://webcaat.org/webcaat/ -
8/2/2019 Fraud Detection Using Analytics
34/37
Exercise 6 - Identify "odd" hour transactions
Exercise 6 - Identify "odd" hour transactions
One of the expectations developed was that there should be no transaction
authorizations outside of normal business hours. The business operates five datys aweek between 8:00 a.m. and 5:00 p.m. and they do not accept calls outside those
hours. Therefore there should be no authorizations for refunds outside of these hours.
This can be tested using the following procedure:
1. Log in to the system athttp://webcaat.org/webcaat/2. Select the table "Refunds"3. Use the menu function pertaining to date functions and Date Selection4. Specify the days of the week to test5. Specify the hours of the day to test6. Specify the "and" operation7. Click "Process"
Did your analysis confirm that there are no authorizations outside of regular business
hours?
If there were authorizations outside of normal business hours, during what time did
they occur?
Answer - Exercise 6 (4:27) Length 4:27
Fraud_Detection_Answer_Exercise_6_4_27_ex6.mp4
http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://fraud_detection_answer_exercise_6_4_27_ex6.mp4/http://fraud_detection_answer_exercise_6_4_27_ex6.mp4/http://fraud_detection_answer_exercise_6_4_27_ex6.mp4/http://webcaat.org/webcaat/ -
8/2/2019 Fraud Detection Using Analytics
35/37
Exercise 7 - Liars and Outliers
For this exercise determine the five largest refunds issued overall as well as the five
largest refunds approved by the call center representative "CF". This can be
accomplished by performing the following steps:
1. Log in to the system athttp://webcaat.org/webcaat2. Select the table "Refunds"3. Select the menu item "Numeric functions | extreme values"4. Select the column "Refund amount"5. Click "Process"
To find the five largest refunds issued by the call center representative "CF" it will be
necessary to provide criteria which limits the test to just those transactions handled by
"CF". That criteria would be specified as follows:
`Call_Center_Employee` = 'CF'
Note that the column name for call center employee contains blanks so therefore it
must be enclosed by opening apostrophes - this character is found in the upper left
portion of the keyboard just to the left of the number "1" key. The initials of the
employee should be enclosed in a single apostrophe.
Take care in entering this criteria information, otherwise an error will occur. (You
may want to copy and paste this text into the Criteria box on the form).
What was the largest refund amount approved and issued by this employee?
Answer - Exercise 7 Liars and Outliers (7:32)
Length 7:32
Fraud_Detection_Answer_Exercise_7_7_32_ex7.mp4
http://webcaat.org/webcaathttp://webcaat.org/webcaathttp://webcaat.org/webcaathttp://fraud_detection_answer_exercise_7_7_32_ex7.mp4/http://fraud_detection_answer_exercise_7_7_32_ex7.mp4/http://fraud_detection_answer_exercise_7_7_32_ex7.mp4/http://webcaat.org/webcaat -
8/2/2019 Fraud Detection Using Analytics
36/37
Exercise 8 - Looking out for #1
The purpose of this exercise is to test the expectation that refund amounts will
generally conform with the amounts predicted by Benford's Law. The reason for the
expectation is that refund amounts are based on actual sales amounts which have a
fairly high range from low to high and are based upon calculated amounts. Also, thereis no single "best seller" that would tend to skew the dollar amounts.
The test of this expection can be performed using the following steps:
1. Sign in to the system athttp://webcaat.org/webcaat2. Select the table "Refunds"3. Use the Menu item "Numeric Procedures | Benford's Law"4. Select the column to be tested of "Refund_Amount" from the drop down list5. Use a Benford test type of "F1" which is also selected from the drop down list.6. Click the "Process" button.
What was the Chi Square value obtained?
Does it appear that the refund amounts do in fact follow Benford's Law?
Answer - Exercise 8 Looking out for number one Length 3:51
Fraud_Detection_Answer_Exercise_8_3_51_ex8.mp4
http://webcaat.org/webcaathttp://webcaat.org/webcaathttp://webcaat.org/webcaathttp://fraud_detection_answer_exercise_8_3_51_ex8.mp4/http://fraud_detection_answer_exercise_8_3_51_ex8.mp4/http://fraud_detection_answer_exercise_8_3_51_ex8.mp4/http://webcaat.org/webcaat -
8/2/2019 Fraud Detection Using Analytics
37/37
Setting up an electronic audit program
In this section, the basics of setting up an electronic audit program to enable the tests
performed in this course to be performed on a repetitive automated basis are covered.
The steps in setting up an electronic audit program are as follows:
1. Develop a narrative audit program as a text document. This document shouldbe generally similar in format to that of existing audit programs.
2. Insert special instruction markers within the document in order to format andsequence the steps in the audit program.
3. Import the document as an audit program using the menu item.4. Develop the scripts for the automated program steps. These will consist of pairs
of scripts. The first script will prompt for the information required to perform
the step. The second script will take the input information, run the program step
and display the results.5. Save the scripts developed and note the names assigned to the script files.6. Assign the script file names developed to the audit program steps.7. Test the electronic audit program to ensure it functions as intended.
The short video narratives in this section walk through the process used to develop
and implement an electronic audit program for the specific program steps in this
exercise to investigate and detect fraud.
Click on the link below to see an overview of the process
Length: 2:04