fraud detection using analytics

8/2/2019 Fraud Detection Using Analytics

1/37

Fraud detection using analytics

Topics

Objectives

Overview

Analytic procedures

Exercises

Continuous auditing

Summarization and wrap-up

Fraud detection using analytics - objectives

Topics

Course Objectives

Case study overview

Course materials

Exercises

Recommended sequence

Home

Detection and investigation of Fraud

This is a case study regarding a fictitious mail order company where an allegation of

fraud has been received. A SAS 99 brainstorming session was held, and 11 critical

expectations were developed during that brain storming session. The case study can

generally be completed in about four hours.

Upon completion of this case study, participants will:

Understand the application ofsummarization and why it is often useful tohighlight areas of possible concern

Learn how to readily identify audit outlier amounts Understand how to implement "matching" to identify critical exceptions See how to quickly check for gaps in numeric sequences
http://webcaat.org/moodle/mod/resource/view.php?id=590http://webcaat.org/moodle/mod/resource/view.php?id=590http://webcaat.org/moodle/mod/resource/view.php?id=591http://webcaat.org/moodle/mod/resource/view.php?id=591http://webcaat.org/moodle/mod/resource/view.php?id=592http://webcaat.org/moodle/mod/resource/view.php?id=592http://webcaat.org/moodle/mod/resource/view.php?id=593http://webcaat.org/moodle/mod/resource/view.php?id=593http://webcaat.org/moodle/mod/resource/view.php?id=594http://webcaat.org/moodle/mod/resource/view.php?id=594http://webcaat.org/moodle/mod/resource/view.php?id=609http://webcaat.org/moodle/mod/resource/view.php?id=609http://webcaat.org/moodle/mod/resource/view.php?id=301http://webcaat.org/moodle/mod/resource/view.php?id=301http://webcaat.org/moodle/mod/resource/view.php?id=304http://webcaat.org/moodle/mod/resource/view.php?id=304http://webcaat.org/moodle/mod/resource/view.php?id=303http://webcaat.org/moodle/mod/resource/view.php?id=303http://webcaat.org/moodle/mod/resource/view.php?id=318http://webcaat.org/moodle/mod/resource/view.php?id=318http://webcaat.org/moodle/mod/resource/view.php?id=302http://webcaat.org/moodle/mod/resource/view.php?id=302http://webcaat.org/moodle/course/view.php?id=13http://webcaat.org/moodle/course/view.php?id=13http://webcaat.org/moodle/mod/resource/view.php?id=302http://webcaat.org/moodle/mod/resource/view.php?id=318http://webcaat.org/moodle/mod/resource/view.php?id=303http://webcaat.org/moodle/mod/resource/view.php?id=304http://webcaat.org/moodle/mod/resource/view.php?id=301http://webcaat.org/moodle/mod/resource/view.php?id=609http://webcaat.org/moodle/mod/resource/view.php?id=594http://webcaat.org/moodle/mod/resource/view.php?id=593http://webcaat.org/moodle/mod/resource/view.php?id=592http://webcaat.org/moodle/mod/resource/view.php?id=591http://webcaat.org/moodle/mod/resource/view.php?id=590


2/37

Understand and apply Benford's Law to items such as revenue, for the purposeof determining reasonableness

Know how to quickly identify all types ofduplicates Extract just transactions with errors, according to auditor provided

specifications

Isolate transactions with round numbers for further review Be able to check logs for transactions initiated during non-business hours Know how to summarize time line data using ageing in order to spot unusual

trends

Check that separation of duties controls are effectiveHow this is done

Recommended steps are as follows:

Read the narrative in order to gain an understanding of the environment beingaudited (or watch to short video overview)

Optionally, download thecase study data (Excel 2003 workbook) - however allthe data needed is available online

Select any or all of the short videos which demonstrate possible audit solutions Test your knowledge by re-performing the audit procedures (or using

alternative methods)

Hikers 'R Us Case StudyRecommended sequence

Recommended steps are as follows:

Follow the steps, item by item, in the course outline Read thenarrativein order to gain an understanding of the environment being

audited (or watch to short video overview)

Optionally, download thecase study data (Excel 2003 workbook) for review(however, this step is not required because all the data is available online)

Select any or all of the short videos which demonstrate possible audit solutions Test your knowledge by re-performing the audit procedures (or using

alternative methods)
http://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Customer_Refund.xlshttp://ezrstats.com/Tutorials/Exercise-20B.htmhttp://ezrstats.com/Tutorials/Customer_Refund.xls


3/37

Course materials

All of the course materials are available on-line. These are included as links in the

course material.

Thefinal moduleat the end of the course also includes a number of links to otherreferences of possible interest.

The online course material consists of simulated vendor and employee data suitablefor audit testing. The data is contained on a cloud server in a database. In order to

access this data, a proper user id and password must be provided. The user id for the

Fraud Detection course is "hru1" with a password of "hru1". The name of the

database to be specified is "hru". All of this information is provided without the

quotes and is case sensitive.

The login form is shown below.
http://webcaat.org/moodle/mod/resource/view.php?id=336http://webcaat.org/moodle/mod/resource/view.php?id=336http://webcaat.org/moodle/mod/resource/view.php?id=336http://webcaat.org/moodle/mod/resource/view.php?id=336


4/37

Once a login has been successfully completed, a table should be selected from the

drop down list. This form appears as follows.

The course uses seven database tables as follows:

AR (customer receivables)

Call_Center (Call Center transactions)

Customer_Service (Customer Service authorizations)

Employee (Employee master file)

Refunds (Refunds issued)

Revenue (Sales transactions)

Treasury (Authorizations by the Treasury department


5/37

Case study exercises

"I hear and I forget. I see and I remember. I do and I understand." - Confucius

Overview

Performing exercises reinforces the concepts taught and better ensures that the auditor

will be able to apply the concepts learned in future audits.

Structure

Concepts are presented and discussed. Then an example of how to apply the concept

is presented. Following this an example exercise with instructions is presented in

order to test the participant's understanding of the concepts. Finally, the answer to the

exercise is also presented in order to compare the results obtained by the participant

with the suggested procedure.

Watching the exercise

When tutorials are presented, they may be accompanied by a video. These videos

have a control bar at the bottom of the video to navigate and control how the video is

presented. Click on the link below to view the process to control the videos using the

control bar.

Narration (2:03)

Fraud_Detection_Exercises_video.mp4
http://fraud_detection_exercises_video.mp4/http://fraud_detection_exercises_video.mp4/http://fraud_detection_exercises_video.mp4/


6/37

Case study overview

Hikers 'R Us Narrative

Overview

Founded in 1978, Hikers R Us is the premier mail order firm supplying a wide range of qualityhiking and camping supplies and equipment. Almost all of the items are sold through mail order

to customers in the United States and Canada. The goods are imported from China. Hikers R Ushas been profitable for some time. They have transitioned from doing business on paper through

several computer based systems.

Refund Policy

Hikers R Us has a very liberal return policy so they will accept returns for almost any reason.Returns have historically been low at around 1% of sales. A recent routine audit of sales returns

did not disclose any weaknesses or errors. Although revenues have been flat, returns have beensteadily increasing.

System Operations

The company uses the enterprise software from the Mexican software company Sapo. (Sapomeans toad in Spanish). Controls over cash refunds are very tight. First, the software system

itself performs extensive checking and cross-checking at every step in the refund process. Thecomputer system is housed in a highly secured area and physical access is severely limited.

The refund process begins when a customer contacts the call center in Leland, North Carolina.

Call center hours are 8:00 a.m. to 5:00 p.m. on business days typically Monday through Fridayand excluding holidays. Calls come through an automated voice recording system where the

customer enters their account number. When a call center representative takes the call, the

customers account is brought up immediately in the Sapo system and the representative canverify that the purchase was made. The call center representative then completes a form 2134

Customer Refund Quest. The original is a white page, which is filed in the Call Center in

numerical order. The yellow copy is forwarded to the Customer Service center where it is filed in

the customers account file. The third copy, pink, is sent to the Treasury Department. Sapo

includes a state of the art work flow system. The system logs all of the activity.

The work flow system assigns the call center information randomly to one of twenty customer

service center representatives. (Customer service center representatives are separate from the callcenter staff). Each customer service center representative logs onto the Sapo system andexamines their work queue which consists of customer refund requests. The customer service

center representative then pulls the yellow copy of the refund request from the customers file,verifies that the customer information is correct and then checks that the order refund request is

appropriate considering the purchase date and amount. The Sapo system maintains a history ofaccount activity for each customer.


7/37

Once the customer service center representative has completed the review, the yellow copy is

signed, dated and initialed and then returned to the customer file. The work queue is markedcomplete and the Sapo system then assigns the request to a random employee in the Treasury

department for review and final approval.

The Treasury department is located in Ocracoke, North Carolina. They receive the pink copy ofthe customer refund request, which is faxed from Leland. When each employee in Ocracoke logs

on the Sapo system, they review their work queue to see the customer refund requests that havebeen assigned to them by the system. Each request in the system is then matched against the

faxed pink copy and the amounts are verified against the Sapo customer history file. They then

initial and date the fax form and file it in sequential order. When complete, they approve therefund request in the work queue system. The next business day after the refund request has been

approved, checks are printed, burst, stuffed and mailed from the data center in Charlotte, North

Carolina.

Hot Line

The company has a hot line and recently received a number of calls (all but one wereanonymous) that an inside ring was stealing fairly significant amounts of money using the refund

process. Hikers R Us recently implemented their Window to the World policy that all fraud

allegations would be detailed and publicized so that their shareholders, employees and vendorswould be able to see all allegations. This would serve as a deterrent to any fraudsters.

You contacted the one identified person making the allegation and found that he is now

completely uncooperative. All he would say is that as an employee, he is unhappy because

despite working hard, he has not gotten a raise in years. He also said he has spotted two Porsches

and three Hummers in the company parking lot that were not there before and wonders how

employees can afford these.

Refund Supervisor

The supervisor of refunds informs you that there is no problem. With the economy in bad shape,people are cutting back on camping, but now seem less reluctant to ask for a refund. He said

some customers are definitely taking advantage of the liberal refund policy. He is also annoyed

that you are even asking about this, stating that he was just audited by Poe, Pollock and

Cartwright, a small regional auditing firm. The audit proved there were no problems. Due toforced cutbacks his staff is now working overtime. With all that is going on he asks that any

further questions be cancelled or deferred.

Management Request

Management also doesnt think there is a problem, but they would like for you to take a look.

Youve decided to set up a brain storming session using the guidelines of SAS 99 and

suggested brainstorming approaches such as those recently published (selected articles on CD).


8/37

The brain storming sessions have been fruitful and identified a number of potential fraud risk

areas:

Collusion in refund approvals Refunds made to employees

Duplicate refunds Refunds in excess of the purchase amount

As a result of those brain storming sessions, the following expectations have been set out:

1. Because call center contacts are assigned randomly, each call center employee shouldhave roughly the same number of customer authorizations

2. The refund process typically takes 46 days from start to finish. There should be fewinstances where the timeline is different

3. There should be few refunds made to employees4. The Sapo system log of check numbers issued should contain no gaps5.

Because the refund amounts are based on actual sales, they should follow the patternexpected using Benfords law

6. There should be no duplicate refunds7. There should be no refunds which exceed the purchase costs8. Because refunds are based on actual sales, there should be few round number amounts9. Since the call center is only open during regular business hours there should be no

approvals outside those hours

10.There should be a close correlation between sales and refunds11.The separation of duties system is working as intended

IT Department

The computer division has a special group of analysts - Online Sales Consultants (OSC) who

routinely monitor the Sapo transactions in order to identify marketing trends, businessopportunities, etc. They have provided you with all the data for the last quarter. This data

consists of about 10,000 transactions which have been loaded into an Excel workbook and

broken out into five work sheets as follows:

1. Cusromer Refund

2. Call Center

3. Treasury

4. Accounts Receivable

5. Employee

Mission


9/37

Your mission, should you decide to accept it, is to look at these transactions and provide an

independent assessment to management regarding fraud risk.

Hintthere are too many transactions to perform a manual review.

Tasksusing the data provided, go through the risk areas identified. Determine if there are anyfraud indicators which might merit a further investigation.

Data in the Excel Work Book

The work book consists of six work sheets:

Employeeinformation about each employee, including name and address

Call Centerhas a log of activity:

CallDate

Call Time Call Employee Customer Amount

ARaccounts receivable history information

Customer Refund amount Call Employee

Customer Balance

Treasuryinformation from the refund disbursements log, combined with customer refundinformation

Customer Refund amount Authorization Check Date Check Number Customer last name

Customer first name Customer street address Customer City Customer State

Customer Servicelogs from the customer service center

Customer


10/37

Refund amount Authorizer Authorization date Authorization time Customer last name

Customer first name Customer street address Customer City Customer State

RefundsAll of the information above (except employee information) has also been combinedonto a single worksheet, should you wish to work with one worksheet instead of many.

Getting Started

For each of the eleven expectations, design a test to determine if the expectation has been met or

not. For example, the first expectation is that because the calls are assigned randomly in the callcenter, there will be about the same number of calls handled by each employee.

Whether this is, in fact, the case, could be determined by preparing a summary of refunds byemployee.

Each of the other expectations can be checked using one or more of the tools discussed duringthe session.

Possible approaches for checking expectations.

Expectation 1

1. Because the call center uses an automated system, each employee should be handling roughly

the same number of customer calls over the period of review.

Summarize call center log records by employee. Examine counts.

Expectation 2

2. The refund process typically takes 46 days from start to finish. There should be few

instances where the timeline is different

One approach is to prepare a data stratification based upon the number of elapsed days contained

in each transaction. This can be done either as a single step or as a two step process.

The two step process would involved having the system make a calculation as to the number of

days elapsed. The second step would be to do a data stratification using this calculated amount.

The single step process involves doing a data stratification on the calculated amount.


11/37

Expectation 3

3. There should be few refunds made to employees

This test can be performed by doing a match on last name and first name between the employee

master and the treasury log of checks issued. This will require the use of a macro and SQL codeto perform the match.

The SQL code should match up the work sheets Employee and Treasury in order to identify any

instances where two rows exist which meet the following conditions:

Same customer number

Employee last name is same as customer last name

Employee first name is same as customer first name

Expectation 4

4. The Sapo system log of check numbers issued should contain no gaps

A simple check is to run a gap test on the checks issued by the Treasury department. The check

would be made using the check number.

Expectation 5

5. Because the refund amounts are based on actual sales, they should follow the pattern expected

using Benfords law

This test can beperformed using Benfords law on the refund amounts. It may also be instructiveto run a pattern analysis using Benfords law, be employee to determine if any employees have

refunds whose Benford pattern differs significantly from that which is expected.

Expectation 6

6. There should be no duplicate refunds

Potential duplicates can be identified by specifying the names of the columns to be tested. For

example, customer, refund amount. Another example might be customer, check date.

Expectation 7

7. There should be no refunds which exceed the purchase costs

The refund amount (column E on the Combined work sheet) should always be less than the

customer balance (column F).


12/37

Expectation 8

8. Because refunds are based on actual sales, there should be few round number amounts

This can be tested using the round number analysis. Also, a pattern test can be used for

differences in round number amounts between customer service representatives. This test willidentify if any employee has a pattern of round number refunds which differs significantly fromthose of all other employees.

Expectation 9

9. Since the call center is only open during regular business hours there should be no approvalsoutside those hours

One check that can be performed is to look for transaction approvals outside normal business

hours. Several tests are available, such as population statistics and data extraction.

Expectation 10

10. There should be a close correlation between sales and refund

Possibly the first step is to simply plot the aggregate sales and refunds by day or week to

determine the overall trend, and correlation, if any.

This step can be refined by looking at individual employees, possibly focusing on those with the

largest dollar amount of refunds.

Expectation 11

11. The separation of duties system is working as intended

One test that could check for separation of duties is to check for any of the following conditions:

Check for call center employee = customer service employee

Check for call center employee = treasury employee

Check for treasury employee = customer service employee

All three department employees are the same

It is also possible to determine instances of potential collusion by determining if any particular

combination of approvers is much more common than the rest. This can be done by summarizingrefunds by all three employees. The results of the summary, expressed as counts, can then be

sorted in descending order. From this list, it can be determined if any one combination (or group

of combinations) is much more prevalent than would be expected.


13/37

Investigation objectives

Audit Objectives

The SAS 99 brain storming session identified eleven expectations. Each of theseexpectations should be tested. The eleven objectives are summarized below, each with

a link to a brief tutorial explaining how the audit objective can be met.

Expectation - 1

Because the call center uses an automated system, each employee should be handling

roughly the same number of customer calls over the period of review.

Expectation - 2

As the refund process is largely automated, the length of time from when the call

comes in until the refund is issued will be 4 - 6 business days.

Expectation - 3

Most employees can purchase hiking goods at a substantial discount through a payroll

deduction plan. Because these terms are very attractive, refunds are not made to

employees. It is expected that very few, if any, employees will receive refunds.

Expectation - 4

Because the disbursement system is almost 100% automated, the check register

should be complete with no gaps in check numbers of refunds issued.

Expectation - 5

Because the refund amounts are the result of computations, their distribution should

generally follow that expected using Benford's Law.

Expectation - 6

Because of all the validation controls in the system, there should be no duplicate

refunds issued to customers.

Expectation - 7


14/37

As the system is automated, there should be no instances where a customer is

refunded an amount greater than the amount the customer actually paid for the goods.

Expectation - 8

because of the pricing amounts and sales tax, it should be quite unusual for there to beround numbers in refund amounts.

Expectation - 9

As the business is open only during standard business hours, there should be few, if

any, approvals outside of normal business hours.

Expectation - 10

As refunds tend to lag sales, there should be a general correlation between sales andrefunds, particularly as to trends.

Expectation - 11

The key control of separation of duties is enforced by the system and should be

operating as intended.


15/37

Performing Analytical Procedure

The decision as to which type of analytical procedure is appropriate for a particular

type of analysis can be facilitated by the decision tree shown below. Starting the first

row, answer each question with either a Yes or a no and then proceed to the next step.

Steps consist of numbers and procedures are identified by letters. Following thisprocess, a potential analytical procedure applicable to a particular investigative

objective may be helpful.Note that the procedures covered in this coure are highlighted in green at the bottom.

Step Question Yes No

1 Analysis is primarily based upon amounts? 6 2

2 Analysis is primarily based on dates? 8 10

3 Analysis based upon classification of amounts? 21 4

4 Analysis based on characteristics of numbers? 11 146 Is the primary objective related to planning? 14 7

7Is the primary objective related to identificationof specific error conditions

A 3

8Are there specific dates or days of the week ofinterest?

9 18

9 Are transactions on holidays needed? H I

10 Will tests for duplicates meet objectives? B 18

11 Will round numbers play a significant role? Q 12

12 Test for "made up" numbers? J 13

13Will extreme values be helpful - largest or

least?M 24

14 Data summarization needed? S 15

15 Control totals needed? R 16

16 Overall classification of the population? 21 17

21 Classification with "by" variable K 22

22 Stratification by numeric ranges? L N

17 Selection of a random sample P V

18 Can ageing analysis support the objective? 19 20

19 Overall population ageing helpful? C D

20 Test for missing dates? E 23

23Looking for transaction within specific date

rangesF,G V

24 Check for missing numeric sequence values O 25


16/37

25 Will tests for linear relations help? T 26

26Can testing for same, same, different beapplied?

U V

- Analytic Procedures

A Data extractB Duplicates

C Ageing

D Ageing by Value

E Date Gaps

F Date Near

G Date Range

H Holiday Dates

I Date Selection

J Benford's Law

K Cross Tabulation

L Data stratification

M Extreme Values

N Histogram

O Numeric Sequence Gaps

P Random Sample

Q Round Numbers

R Statistics

S Summarization

T Linear regression

U Same, Same, different

V Single SQL Statement


17/37

Analytic procedures

The types of analytic procedures that could be used will vary based upon the

objectives of the investigation. Outlined below are some of the key types of analytics

that could be deployed.

Expectation - 1

Because the call center uses an automated system, each employee should be handling

roughly the same number of customer calls over the period of review.

Summarization procedure.

Expectation - 2

As the refund process is largely automated, the length of time from when the call

comes in until the refund is issued will be 4 - 6 business days. Data extraction.

Expectation - 3

Most employees can purchase hiking goods at a substantial discount through a payrolldeduction plan. Because these terms are very attractive, refunds are not made to

employees. It is expected that very few, if any, employees will receive refunds. Data

extraction.

Expectation - 4

Because the disbursement system is almost 100% automated, the check register

should be complete with no gaps in check numbers of refunds issued. Sequence gaps.

Expectation - 5

Because the refund amounts are the result of computations, their distribution should

generally follow that expected using Benford's Law.

Expectation - 6

Because of all the validation controls in the system, there should be no duplicate

refunds issued to customers. Duplicates.

Expectation - 7

As the system is automated, there should be no instances where a customer is

refunded an amount greater than the amount the customer actually paid for the goods.

Data extraction.

Expectation - 8Because of the pricing amounts and sales tax, it should be quite unusual for there to be

round numbers in refund amounts. Round numbers.

Expectation - 9

As the business is open only during standard business hours, there should be few, if

any, approvals outside of normal business hours. Data extraction.


18/37

Expectation - 10

As refunds tend to lag sales, there should be a general correlation between sales and

refunds, particularly as to trends. Trend lines.

Expectation - 11

The key control of separation of duties is enforced by the system and should be

operating as intended. Data extraction.


19/37

Data structureData for Hikers 'R Us is contained in seven tables which are more fully described

below. The tables are:

1. Refunds2. Accounts Receivable3. Call Center Employees4. Treasury (Paid refund checks)5. Call Center activity6. Customer Service7. Revenue

Refunds

Field Type Null Key Default Extra

Call_Date date Date the call came in

Call_Time time Time the call came in

Call_Center_Employee varchar(50)Initials of the call center

employee

Customer varchar(50) Customer number

Amount decimal(10,2) Amount of refund

Customer_Balance decimal(10,2)

Balance on customer's

account

Treasury_Auth varchar(50) Approval id in Treasury

Check_Date date Date of refund check

Check_Number int(11) Refund check number

Lastname varchar(50) Customer last name

Firstname varchar(50) Customer first name

Address varchar(50) Customer street address

City varchar(50) Customer City

CSState varchar(5) Customer State

Cust_Serv_Auth varchar(50)Customer Service

Approver

CS_Auth date Date of authorization

Auth_Time time Time of authorization


20/37

Sales_date date Date of sale

Accounts Receivable


Customer varchar(20) Customer numberRefund_Amount decimal(10,2) Refund Amount

Customer_Balance decimal(10,2)Customer account

balance

Call Center Employees

Field Type Null

LASTNAME varchar(50) Employee last name

FIRSTNAME varchar(50) Employee first name

MIDNAME varchar(50) Employee middle initialDOB date Date of birth

ADDRESS varchar(50) Address

CITY varchar(50) City

ESTATE varchar(50) State

ZIP varchar(50) Zip Code

Phone varchar(50) Telephone number

Call Center Activity


Call_Date date Date call came in

Call_Time time Time call came in

Call_Employee varchar(20) Employee initials


Amount decimal(10,2) Refund amount

Sales_Date date Sales dates

Customer Service



Refund_Amount decimal(10,2) Refund amount

Auth varchar(20) Approver id

Auth Date date Approval date


21/37

Auth Time time Approval time

Revenue


Customer varchar(20) Customer numberInvoice_Amount decimal(10,2) Invoice amount

Auth varchar(20) Approver

Sales_Date date Invoice date

Invoice_Number integer Invoice number

Last_Name varchar(20) Last name

First_Name varchar(20) First name

Address varchar(20) Address

City varchar(20) City

State varchar(20) State

ZIP varchar(20) Zip Code

Phone varchar(20) Phone number

Treasury



Refund_Amount decimal(10,2) Refund amount

Auth varchar(20) Approver

Check_Date date Refund check date

Check_Number int(11) Refund check number

Last_Name varchar(20) Customer last name

First_Name varchar(20) Customer first name

Address varchar(20) Customer address

City varchar(20) Customer city

State varchar(20) Customer StateZIP varchar(20) Customer zip code

Phone varchar(20) Phone number


22/37

Summarization as an analytical toolData summarization can be an effective analytical tool which is very useful in fraud

investigations. There is one investigation objective which can be met using

summarization:

Expectation - 1

Because the call center uses an automated system, each employee should be handling roughly the

same number of customer calls over the period of review.

Click on the video link below to see an overview of the process to summarize data

Length 3:00

Fraud_Detection_Summarization_su1.mp4

Click on the video link below to see a demonstration of the process to summarize

data Length 4:39

Fraud_Detection_Summarization_su2.mp4
http://fraud_detection_summarization_su1.mp4/http://fraud_detection_summarization_su1.mp4/http://fraud_detection_summarization_su2.mp4/http://fraud_detection_summarization_su2.mp4/http://fraud_detection_summarization_su2.mp4/http://fraud_detection_summarization_su1.mp4/


23/37

Data extraction as an analytical toolData extraction is a powerful analytical tool which is very useful in fraud

investigations. It allows for the testing of specified conditions on a 100% basis. There

are three expectations which can be tested using data extraction.

Expectation 2

As the refund process is largely automated, the length of time from when the call comes in until

the refund is issued will be 4 - 6 business days.

Expectation 3

Most employees can purchase hiking goods at a substantial discount through a payroll deductionplan. Because these terms are very attractive, refunds are not made to employees. It is expected

that very few, if any, employees will receive refunds.

Expectation 7

As the system is automated, there should be no instances where a customer is refunded anamount greater than the amount the customer actually paid for the goods.

Click on the video link below to see a demonstration of the data extraction process.

Length 3:31

Fraud_Detection_Data_extraction_de.mp4

Data extraction for the purpose of identifying errors.

Length 4:16

Fraud_Detection_Data_extraction_de2.mp4
http://fraud_detection_data_extraction_de.mp4/http://fraud_detection_data_extraction_de.mp4/http://fraud_detection_data_extraction_de2.mp4/http://fraud_detection_data_extraction_de2.mp4/http://fraud_detection_data_extraction_de2.mp4/http://fraud_detection_data_extraction_de.mp4/


24/37

Selection of round numbersRound numbers are often an indication of estimates, which may or may not be

appropriate, depending upon the circumstances. In some cases, round number

amounts are a "red flag" There is one investigation objective which can be met by

testing for round numbers.

Expectation - 8

Because of the pricing amounts and sales tax, it should be quite unusual for there to be

round numbers in refund amounts.

Click on the video link below to see audit uses for round number tests.

Length 2:19

Fraud_Detection_Selection_of_round_number_transactions_rn.mp4

Click on the video link below to see a demonstration of the process to identify round

numbers.

Length 3:17

Fraud_Detection_Selection_of_round_number_transactions_rn2.mp4
http://fraud_detection_selection_of_round_number_transactions_rn.mp4/http://fraud_detection_selection_of_round_number_transactions_rn.mp4/http://fraud_detection_selection_of_round_number_transactions_rn2.mp4/http://fraud_detection_selection_of_round_number_transactions_rn2.mp4/http://fraud_detection_selection_of_round_number_transactions_rn2.mp4/http://fraud_detection_selection_of_round_number_transactions_rn.mp4/


25/37

Trend line analysis - spotting the unusual (2:57)

Trend lines indicate the norm or expectation. Fluctuations, "spikes" etc. can indicate a

"red flag" which should be investigated. There is one investigation objective which

can be met using trend lines:

Expectation - 10

As refunds tend to lag sales, there should be a general correlation between sales and refunds,

particularly as to trends.

Trend line analysis can be done by first summarizing data by date using the ageing function and

then comparing and plotting that data using Excel.

Click on the video link below to see a demonstration of the process to summarize data.

Length 2:27

Fraud_Detection_Trend_analysis_spotting_the_unusual_2_57_tr0.mp4

Gaps - what you see is interesting, what you

DON'T see is criticalGaps in numeric sequences (or date sequences) can indicate missing data. There is one

investigation objective which can be met using gaps:

Expectation - 4

Because the disbursement system is almost 100% automated, the check register should becomplete with no gaps in check numbers of refunds issued.

Click on the video link below to see a demonstration of the process to identify missing document

numbers through the use of the numeric sequence gaps function.

Length 2:29

Fraud_Detection_Gaps_what_you_see_is_interesting_what_you_DON_T_see_is_crit

ical_2_29_gp0.mp4
http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_gaps_what_you_see_is_interesting_what_you_don_t_see_is_critical_2_29_gp0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/


26/37

Odd hour transactionsTransactions performed at odd hours should also be investigated, in many cases.

There is one investigation objective which can be met using tests based upon

transaction times:

Expectation - 9

As the business is open only during standard business hours, there should be few, if any,

approvals outside of normal business hours.

Click on the video link below to see a demonstration of the process to check for specific

transaction times.

Length 3:34

Fraud_Detection_Odd_hour_transactions_3_34_time.mp4

Liars and outliersOften the largest (or smallest) transactions are of interest. Although there is no

specific investigation objective involving the identification of largest amounts, this

information is often useful.

Identify the five largest and smallest invoices. Secondarily, narrow the test to invoices

originating from vendors in California.

Click on the video link below to see a demonstration of the process of identifying the largestamounts from a population of transactions or other data.

Length 4:00

Fraud_Detection_Liars_and_outliers_4_00_ol.mp4
http://fraud_detection_odd_hour_transactions_3_34_time.mp4/http://fraud_detection_odd_hour_transactions_3_34_time.mp4/http://fraud_detection_liars_and_outliers_4_00_ol.mp4/http://fraud_detection_liars_and_outliers_4_00_ol.mp4/http://fraud_detection_liars_and_outliers_4_00_ol.mp4/http://fraud_detection_odd_hour_transactions_3_34_time.mp4/


27/37

Benford's Law - looking out for number oneBenford's law is a classic approach to the identification of "made up" amounts. There

is one investigation objective which can be met using Benford's Law:

Expectation - 5

Because the refund amounts are the result of computations, their distribution should generally

follow that expected using Benford's Law.

Click on the video link below to see a an overview of Benford's law.

Length 8:29

Fraud_Detection_Benford_s_Law_looking_out_for_number_one_8_29_ben.mp4

Click on the video link below to see a demonstration of the process to test the

application of Benford's law.

Length 2:51

Fraud_Detection_Benford_s_Law_looking_out_for_number_one_8_29_ben1.mp4
http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben1.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben1.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben1.mp4/http://fraud_detection_benford_s_law_looking_out_for_number_one_8_29_ben.mp4/


28/37

EXERCISE 1 - SUMMARIZATION

The first expectation was that the number of refunds issued would be roughly the

same per customer service representative because the system has an automated system

for assignment of calls to representatives and each representative would spendapproximately the same time with each customer, on average.

This expectation can be tested by summarizing the refund amounts by call center

representative and looking at the results obtained. In order to do this, the following

steps should be taken:

1. Browse to the URLhttp://webcaat.org/webcaat/2. Sign into the system using the id 'hru1' and the password 'hru1'3. Specify a database of 'hru' (not test)4.

Click the "sign in" button5. Select the table 'Refunds' from the drop down list

6. Select the menu item 'Numeric functions | Summarization'7. Enter the information in to be summarized8. Click the "Process" button9. View the results

Were the results as you expected?

Which employee had the largest number of transactions and dollar amount of

transactions?

Were they significantly different from the others?

What plausible explanations are there be for this?

Answer to exercise

Next exercise
http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/moodle/course/modedit.php?update=321http://webcaat.org/moodle/course/modedit.php?update=321http://webcaat.org/moodle/course/modedit.php?update=322http://webcaat.org/moodle/course/modedit.php?update=322http://webcaat.org/moodle/course/modedit.php?update=322http://webcaat.org/moodle/course/modedit.php?update=321http://webcaat.org/webcaat/


29/37

Exercise 1 - Data Summarization (answer)

Click the video below to see the answer to this exercise. Length 3:12

Fraud_Detection_Answer_Exercise_1_3_12_ex1.mp4
http://fraud_detection_answer_exercise_1_3_12_ex1.mp4/http://fraud_detection_answer_exercise_1_3_12_ex1.mp4/http://fraud_detection_answer_exercise_1_3_12_ex1.mp4/


30/37

Exercise 2 - Data extraction

Data extraction can be used to check several of the expectations. The first of these

expetctations are that the number of elapsed business days is 4 - 6 for refund checks to

be issued once the refund request has come in.

This expectation can be checked by having the system examine the elapsed days

between the date the check is issued and the date that initial request was received and

approved in a phine call.

In order to determine the number of elapsed days between two dates, the built in

MySQL function "datediff" can be used.

To make this determination use the menu item "Numeric Functions|Statistics" and

enter the following information into the "where (criteria) box:

datediff(Check_Date,Call_Date) not between 4 and 6.

This statement, in English, means summarize all the refund amounts where the

difference between the check date and the call date were not between 4 and 6.

After you have run this test, provide the following information.

How many transactions did not have a check issued within 4 - 6 days after the call

date?

How many were earlier?

Were there any transactions that seem highly unusual? Why?

Answer - Exercise 2 (Length of time for refunds) (4:59)

Length 4:59

http://fraud_detection_answer_exercise_2_4_59_ex2.mp4/http://fraud_detection_answer_exercise_2_4_59_ex2.mp4/http://fraud_detection_answer_exercise_2_4_59_ex2.mp4/


31/37

Exercise 3 - Round numbers

There was an expectation that refund amounts should generally not be round numbers

because the amount of the refund is based on the actual sales price plus tax and

shipping.

This can be tested using the following steps:

1. Sign in to the Web CAAT application athttp://webcaat.org/webcaat/2. Select the table "Refunds"3. Use the menu item "Numeric tests | round numbers"4. Test the refund amount5. Click "Process"

How many round number refund amounts were there?

Answer - Exercise 3 Round numbers

Click on the link below to see the exercise done.

Length 2:20

http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://fraud_detection_answer_exercise_3_2_20_ex3.mp4/http://fraud_detection_answer_exercise_3_2_20_ex3.mp4/http://fraud_detection_answer_exercise_3_2_20_ex3.mp4/http://webcaat.org/webcaat/


32/37

Exercise 4 - Trend Analysis

One of the expectations was that there should be a general correlation between the

number and amount of refunds and the amount of sales. This is based upon the

reasoning that the percentage of refunds will tend to remain constant.

One of the tests for this is to simply see what the trend has been for sales over the

recent period and then compare that trend with refunds which have been issued.

This can be accomplished using the ageing function and the following steps:

To determine the refund trend:

1. Sign on to the system athttp://webcaat.org/webcaat/2. Select table "Refunds"3. Age the refund amount by date, e.g. Call date4. Use the refund amount as the basis for ageing5. Select an ageing date of '2008-06-30'6. Select an ageing bucket of 307. Run the report

To determine the sales trend:

1. Select the Revenue table2. Age revenue transactions based on sales date3. Use criteria similar to that used for Refunds4. Run the report

What was the trend for Sales?

What was the trend for Refunds?

Does any of this seem suspicious? Why?

Answer - Exercise 4 Trend line analysis

Length (6:26)

Fraud_Detection_Trend_analysis_spotting_the_unusual_2_57_tr0.mp4
http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://webcaat.org/webcaat/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://fraud_detection_trend_analysis_spotting_the_unusual_2_57_tr0.mp4/http://webcaat.org/webcaat/


33/37

Exercise 5 - Gaps

Because the company uses an automated system to issue refund checks, they have the

expectation that the refund checks are issued using sequentially numbered checks.Thus, one of the expectations is that a test of the check numbers for refund checks will

not disclose any missing check numbers. This can be tested by using the following

procedure:

1. Sign in to the system athttp://webcaat.org/webcaat/(id 'hru1' , password 'hru1'and database 'hru'

2. Select the table named "Refunds"3. Use the menu item "Numeric functions | Numeric Sequence Gaps"4. Select the numeric column which has the value to be tested (check number)5. Click "Process"

What did your analysis show?

Is the system working properly?

Answer - Exercise 5 Gaps (2:04)

Length 2:04



34/37

Exercise 6 - Identify "odd" hour transactions

Exercise 6 - Identify "odd" hour transactions

One of the expectations developed was that there should be no transaction

authorizations outside of normal business hours. The business operates five datys aweek between 8:00 a.m. and 5:00 p.m. and they do not accept calls outside those

hours. Therefore there should be no authorizations for refunds outside of these hours.

This can be tested using the following procedure:

1. Log in to the system athttp://webcaat.org/webcaat/2. Select the table "Refunds"3. Use the menu function pertaining to date functions and Date Selection4. Specify the days of the week to test5. Specify the hours of the day to test6. Specify the "and" operation7. Click "Process"

Did your analysis confirm that there are no authorizations outside of regular business

hours?

If there were authorizations outside of normal business hours, during what time did

they occur?

Answer - Exercise 6 (4:27) Length 4:27



35/37

Exercise 7 - Liars and Outliers

For this exercise determine the five largest refunds issued overall as well as the five

largest refunds approved by the call center representative "CF". This can be

accomplished by performing the following steps:

1. Log in to the system athttp://webcaat.org/webcaat2. Select the table "Refunds"3. Select the menu item "Numeric functions | extreme values"4. Select the column "Refund amount"5. Click "Process"

To find the five largest refunds issued by the call center representative "CF" it will be

necessary to provide criteria which limits the test to just those transactions handled by

"CF". That criteria would be specified as follows:

`Call_Center_Employee` = 'CF'

Note that the column name for call center employee contains blanks so therefore it

must be enclosed by opening apostrophes - this character is found in the upper left

portion of the keyboard just to the left of the number "1" key. The initials of the

employee should be enclosed in a single apostrophe.

Take care in entering this criteria information, otherwise an error will occur. (You

may want to copy and paste this text into the Criteria box on the form).

What was the largest refund amount approved and issued by this employee?

Answer - Exercise 7 Liars and Outliers (7:32)

Length 7:32

http://webcaat.org/webcaathttp://webcaat.org/webcaathttp://webcaat.org/webcaathttp://fraud_detection_answer_exercise_7_7_32_ex7.mp4/http://fraud_detection_answer_exercise_7_7_32_ex7.mp4/http://fraud_detection_answer_exercise_7_7_32_ex7.mp4/http://webcaat.org/webcaat


36/37

Exercise 8 - Looking out for #1

The purpose of this exercise is to test the expectation that refund amounts will

generally conform with the amounts predicted by Benford's Law. The reason for the

expectation is that refund amounts are based on actual sales amounts which have a

fairly high range from low to high and are based upon calculated amounts. Also, thereis no single "best seller" that would tend to skew the dollar amounts.

The test of this expection can be performed using the following steps:

1. Sign in to the system athttp://webcaat.org/webcaat2. Select the table "Refunds"3. Use the Menu item "Numeric Procedures | Benford's Law"4. Select the column to be tested of "Refund_Amount" from the drop down list5. Use a Benford test type of "F1" which is also selected from the drop down list.6. Click the "Process" button.

What was the Chi Square value obtained?

Does it appear that the refund amounts do in fact follow Benford's Law?

Answer - Exercise 8 Looking out for number one Length 3:51

http://webcaat.org/webcaathttp://webcaat.org/webcaathttp://webcaat.org/webcaathttp://fraud_detection_answer_exercise_8_3_51_ex8.mp4/http://fraud_detection_answer_exercise_8_3_51_ex8.mp4/http://fraud_detection_answer_exercise_8_3_51_ex8.mp4/http://webcaat.org/webcaat


37/37

Setting up an electronic audit program

In this section, the basics of setting up an electronic audit program to enable the tests

performed in this course to be performed on a repetitive automated basis are covered.

The steps in setting up an electronic audit program are as follows:

1. Develop a narrative audit program as a text document. This document shouldbe generally similar in format to that of existing audit programs.

2. Insert special instruction markers within the document in order to format andsequence the steps in the audit program.

3. Import the document as an audit program using the menu item.4. Develop the scripts for the automated program steps. These will consist of pairs

of scripts. The first script will prompt for the information required to perform

the step. The second script will take the input information, run the program step

and display the results.5. Save the scripts developed and note the names assigned to the script files.6. Assign the script file names developed to the audit program steps.7. Test the electronic audit program to ensure it functions as intended.

The short video narratives in this section walk through the process used to develop

and implement an electronic audit program for the specific program steps in this

exercise to investigate and detect fraud.

Click on the link below to see an overview of the process

Length: 2:04

fraud detection using analytics

Documents