Accounting Articles for Students

Detecting Accounts Payable Abuse Through Continuous Auditing

by Larry Potla | Published on 11/24/2003

Changes in information technology and corporate governance are challenging internal audit professionals to review greater volumes of data and to confirm their organization's compliance with internal controls designed to protect assets and shareholder interests. Electronic continuous auditing (ECA) provides internal auditors with viable tools and techniques to meet this challenge by allowing them to analyze and evaluate financial and information systems data on a real-time, or near real-time, basis in many areas of an organization.

Accounts payable is an especially fruitful area to use ECA tools to detect waste, fraud, and abuse. For many organizations, the disbursements paid through the accounts payable function are their largest outflow of cash. Given this situation, accounts payable represents an area that deserves close scrutiny from internal auditors due to the associated risks that can expose the organization's assets to loss, including duplicate payments, lost discounts, the use of unapproved vendors, and variances in terms between the accounts payable and purchasing systems.

Most problems found during accounts payable audits focus on three categories:

  1. Errors.
  2. Waste (inefficiencies).
  3. Fraud or abuse.

Much has been written about the traditional audit tests that uncover accounts payable errors, such as identifying duplicate payments, missed discounts, and calculation accuracy. ECA can be effectively employed to assist auditors with these tests for errors. However, this article will focus on ECA techniques that might be used to detect accounts payable waste, fraud, and abuse. 

Relying on a non-automated method to audit a large and vital business information system such as accounts payable leaves a substantial gap in audit coverage. The traditional accounts payable audit approach is limited because it tests or reviews only a small percentage of a large population of transactions in an area that could be ripe with problems. In many organizations, the volume of accounts payable transactions may be in the hundreds of thousands, or even millions, over the course of a year.

Moreover, internal auditors who use the traditional approach routinely test for missed discounts, clerical accuracy, approvals, correct account distribution, and valid invoice, purchase order, and receiving documents. Although these are appropriate tests for a basic review of accounts payable, they do little to detect fraud, waste, and abuse. Internal auditors don't have to limit their efforts to these basic steps due to the computer-assisted audit and data-mining software tools available today.

Steps for Successful Use of ECA
  • Identify the risks associated with the process or function and the information system.
  • Determine what data is electronically available for the ECA application.
  • Develop an organized approach or plan for using appropriate ECA tests of processing. Determine what tests would be most valuable if performed on a continuous basis.
  • Begin with a few easy computer-assisted audit tests or applications.
  • Once proven to work, define the frequency with which continuous audit tests will be run.
  • Analyze the anomalous conditions identified by ECA tests.
  • Refine ECA tests, as applicable.
  • Once ECA tests have concluded that existing controls are functioning in an acceptable manner, modify ECA testing parameters to consider other risks. 

ECA of accounts payable can be performed continuously or periodically throughout the year to discover potential or actual problems in near real time. ECA can help uncover fraud, waste, and abuse before an opportunity or incident becomes a major threat to corporate assets that results in significant financial loss or a media scandal. Using ECA, auditors can minimize damage and loss to both their organization and internal audit department.

Determining whether these tests should be performed periodically or continuously depends on the exposure that may exist and the organization's ability to recover from a possible loss. For certain problems within accounts payable, recovery can generally be made against vendors because the organization will have an ongoing relationship with them. For certain problems that may be fraud-related, auditors may need to perform real or near real-time tests to minimize a larger exposure that may not be easily recoverable. Although some ECA tests lend themselves to periodic testing, testing may need to be continuous if the auditors' overall risk assessment reveals that the organization may have a greater exposure to fraud where it has little hope of recovery. Auditors must use their own judgment regarding the timeliness and frequency of the ECA tests to be performed based on each specific circumstance.

Taking the first steps to determine how to search or review for potential accounts payable fraud, waste, and abuse requires an understanding of the organization’s accounts payable system, the automated and manual interfaces and processing, and the available data fields. Although not every organization’s system provides sufficient detail to use each of the examples that follow, these techniques should provide most auditors food for thought while reviewing the accounts payable system and processing.

As a general practice, employees are not among the organization’s valid vendors. Although not all "employee vendors" may be indicative of fraud, such conditions may, at a minimum, require disclosure as a potential conflict of interest. Because there is no way of knowing when this condition may exist and the vendor/payment file data can be voluminous, ECA can provide the necessary audit coverage without excessive burden to the auditor. Some specific ECA routines include:

The following ECA tests look for situations, conditions, or transactions that may indicate plans to overcharge an organization:

Depending on the organization’s individual circumstances, many vendor-activity scenarios or situations may raise red flags to internal auditors. A few suggested tests include:

Once internal auditors have conducted their ECA tests and have found anomalies, irregularities, or unusual account activity, the hard work begins. Auditors need probing audit procedures, patience, and due diligence to sort out the facts and draw the correct conclusions based on the ECA findings. It is not unusual for ECA tests to result in false positives for waste, fraud, and abuse. Consequently, auditors will need to refine their tests as they become more familiar with their data and with the nature and complexity of the tests they plan. 

During their analysis of potential problems, auditors should look for data entry or other unintentional errors that may have occurred. They should also look for routine or subsequent adjustments or corrections to accounts payable and vendor files that may have been previously identified by the accounts payable function. Working with absolute values for some data fields may help minimize unnecessary post-ECA analysis efforts by sequencing offsetting (correction) entries next to original entries.

This analytical process is often labor intensive, time consuming, and cumbersome, but over time, it will reveal patterns in data anomalies that will help auditors to better focus on the most productive ECA tests and high-risk audit areas. Internal auditors should experiment with their accounts payable files to determine the most relevant tests for their audit objectives and organization. This can enable internal auditors to use ECA to gain greater knowledge from their organization's mountain of accounts payable data.

Larry Potla, CIA, CPA, CFE is the Executive Director, Audit and Operations Review in American Greetings Corp.

Article courtesy of IT Audit

Want to write for Accountancy?

Well, here's your chance. Click here to read details.


Follow Accountancy on TwitterFollow Accountancy on Facebook