Accounting Articles for Students
Detecting Accounts Payable Abuse Through Continuous Auditing
by Larry Potla | Published on 11/24/2003
Changes in information technology and corporate governance are challenging internal audit professionals to review greater volumes of data and to confirm their organization's compliance with internal controls designed to protect assets and shareholder interests. Electronic continuous auditing (ECA) provides internal auditors with viable tools and techniques to meet this challenge by allowing them to analyze and evaluate financial and information systems data on a real-time, or near real-time, basis in many areas of an organization.
Accounts payable is an especially fruitful area to use ECA tools to detect waste, fraud, and abuse. For many organizations, the disbursements paid through the accounts payable function are their largest outflow of cash. Given this situation, accounts payable represents an area that deserves close scrutiny from internal auditors due to the associated risks that can expose the organization's assets to loss, including duplicate payments, lost discounts, the use of unapproved vendors, and variances in terms between the accounts payable and purchasing systems.
Most problems found during accounts payable audits focus on three categories:
- Waste (inefficiencies).
- Fraud or abuse.
Much has been written about the traditional audit tests that uncover accounts payable errors, such as identifying duplicate payments, missed discounts, and calculation accuracy. ECA can be effectively employed to assist auditors with these tests for errors. However, this article will focus on ECA techniques that might be used to detect accounts payable waste, fraud, and abuse.
APPLYING ECA TO ACCOUNTS PAYABLE
Relying on a non-automated method to audit a large and vital business information system such as accounts payable leaves a substantial gap in audit coverage. The traditional accounts payable audit approach is limited because it tests or reviews only a small percentage of a large population of transactions in an area that could be ripe with problems. In many organizations, the volume of accounts payable transactions may be in the hundreds of thousands, or even millions, over the course of a year.
Moreover, internal auditors who use the traditional approach routinely test for missed discounts, clerical accuracy, approvals, correct account distribution, and valid invoice, purchase order, and receiving documents. Although these are appropriate tests for a basic review of accounts payable, they do little to detect fraud, waste, and abuse. Internal auditors don't have to limit their efforts to these basic steps due to the computer-assisted audit and data-mining software tools available today.
Steps for Successful Use of ECA
ECA of accounts payable can be performed continuously or periodically throughout the year to discover potential or actual problems in near real time. ECA can help uncover fraud, waste, and abuse before an opportunity or incident becomes a major threat to corporate assets that results in significant financial loss or a media scandal. Using ECA, auditors can minimize damage and loss to both their organization and internal audit department.
Determining whether these tests should be performed periodically or continuously depends on the exposure that may exist and the organization's ability to recover from a possible loss. For certain problems within accounts payable, recovery can generally be made against vendors because the organization will have an ongoing relationship with them. For certain problems that may be fraud-related, auditors may need to perform real or near real-time tests to minimize a larger exposure that may not be easily recoverable. Although some ECA tests lend themselves to periodic testing, testing may need to be continuous if the auditors' overall risk assessment reveals that the organization may have a greater exposure to fraud where it has little hope of recovery. Auditors must use their own judgment regarding the timeliness and frequency of the ECA tests to be performed based on each specific circumstance.Taking the first steps to determine how to search or review for potential accounts payable fraud, waste, and abuse requires an understanding of the organization’s accounts payable system, the automated and manual interfaces and processing, and the available data fields. Although not every organization’s system provides sufficient detail to use each of the examples that follow, these techniques should provide most auditors food for thought while reviewing the accounts payable system and processing.
RISK: FICTITIOUS VENDOR ACTIVITY ORIGINATED BY
As a general practice, employees are not among the organization’s valid vendors. Although not all "employee vendors" may be indicative of fraud, such conditions may, at a minimum, require disclosure as a potential conflict of interest. Because there is no way of knowing when this condition may exist and the vendor/payment file data can be voluminous, ECA can provide the necessary audit coverage without excessive burden to the auditor. Some specific ECA routines include:
- Matching the vendor address file to the employee address file. Electronic matching of data needs to be exact. Therefore, it may be advisable to extract only numeric data for this test. For example, "1234 South Main Street" would not equal "1234 S. Main" on an electronic match. To effectively use ECA in this situation, auditors may need to strip out the numeric data from the address field for successful matching.
- Matching vendor phone numbers to employee phone numbers.
- Matching vendor tax identification numbers to employee Social Security numbers. Confidentiality of Social Security numbers needs to be addressed prior to considering this test.
RISK: FICTITIOUS OR ABUSIVE VENDOR ACTIVITY ORIGINATED BY VENDOR
The following ECA tests look for situations, conditions, or transactions that may indicate plans to overcharge an organization:
- Identify different accounts payable payee names with the same address or post office box. Although this test may only support that there are multiple vendor identification numbers in the system for the same vendor, such a condition may also indicate possible bid rigging.
- Search for vendor addresses containing suite numbers. Auditors may find that their organization is doing business with contractors that lack tangible operating facilities.
- Identify vendor-billing problems through "same, same, different" tests. For example, search all records for the same invoice number, same invoice amount, and same invoice date, but different vendor. Review invoices for the same vendor, same invoice date, and same invoice amount, but different invoice number.
- Periodically scan an alphabetical listing of the organization's vendors and suppliers to find fictitious vendor names similar to legitimate vendors. For example, a fictitious office supply vendor may use the name Internal Business Machines to sound like International Business Machines.
RISK: ILLOGICAL OR UNUSUAL VENDOR ACTIVITY
Depending on the organization’s individual circumstances, many vendor-activity scenarios or situations may raise red flags to internal auditors. A few suggested tests include:
- Identifying vendors with no address information detail or with payments mailed to an alternative address. This condition may indicate a fictitious vendor trying to mask identification by limiting profile details.
- Identifying vendor profiles with no contact name. This condition is highly unusual and limits the organization's complaints, questions, and future order communications.
- Identifying vendors with sequential invoice numbers in the accounts payable file. This test indicates that the organization is the vendor's sole customer. As a follow on, identify a pattern of unusually low number sequences for individual vendor invoice numbers, as another possible indication of a vendor created solely to service your company.
- Identifying the organization's largest commodity purchases by vendor to examine sourcing locations for reasonableness. High-volume purchases from a geographic location that cannot support such activity may indicate non-competitive bidding for these procurements.
- Isolating invoices dated on Saturdays, Sundays, or holidays to identify possible fictitious vendors and to determine the portion of the vendor base represented by "weekend freelancers."
- Searching for unusual accounts payable file data based on digital analysis applying Benford's Law. This testing technique can be quite complex but may uncover anomalies worth investigating. Often Benford's testing on a population as small as 5,000 transactions may reveal many easy-to-miss anomalies that may need further testing.
ANALYZING ACCOUNTS PAYABLE ANOMALIES
Once internal auditors have conducted their ECA tests and have found anomalies, irregularities, or unusual account activity, the hard work begins. Auditors need probing audit procedures, patience, and due diligence to sort out the facts and draw the correct conclusions based on the ECA findings. It is not unusual for ECA tests to result in false positives for waste, fraud, and abuse. Consequently, auditors will need to refine their tests as they become more familiar with their data and with the nature and complexity of the tests they plan.
During their analysis of potential problems, auditors should look for data entry or other unintentional errors that may have occurred. They should also look for routine or subsequent adjustments or corrections to accounts payable and vendor files that may have been previously identified by the accounts payable function. Working with absolute values for some data fields may help minimize unnecessary post-ECA analysis efforts by sequencing offsetting (correction) entries next to original entries.
This analytical process is often labor intensive, time consuming, and cumbersome, but over time, it will reveal patterns in data anomalies that will help auditors to better focus on the most productive ECA tests and high-risk audit areas. Internal auditors should experiment with their accounts payable files to determine the most relevant tests for their audit objectives and organization. This can enable internal auditors to use ECA to gain greater knowledge from their organization's mountain of accounts payable data.
Larry Potla, CIA, CPA, CFE is the Executive Director, Audit and Operations Review in American Greetings Corp.
Article courtesy of IT Audit
Want to write for Accountancy?
Well, here's your chance. Click here to read details.