© Grant Thornton. All rights reserved. Data analytics in the audit March 18, 2011 Keith Barger, Principal, Advisory Services & Forensic Technology Services Practice Leader

© Grant Thornton. All rights reserved. Overview Speaker background Introduction What is fraud? Data analytics: Defined Data analytics: Practical use Case studies Wrap up / Q & A

© Grant Thornton. All rights reserved. Keith Barger ATF – 18+ years of special agent –Technical operation Big 4 – Director –Forensic Technology and e-Discovery Grant Thornton – Principal, Practice Leader –Forensic & Litigation Services –Forensic Technology Services

© Grant Thornton. All rights reserved. Introduction Fraud examiners and internal/external auditors utilize data analytics to aid in revealing potential concerns, enabling the detection of fraudulent circumstances as early as possible

© Grant Thornton. All rights reserved. What is fraud? A general concept that refers generally to any intentional act committed to secure an unfair or unlawful gain. Financial fraud typically falls into the following categories: –Fraudulent financial transactions and reporting –Misappropriation of assets –Revenue of assets gained by fraudulent or illegal acts –Expenditures or liabilities avoided for inappropriate purpose –Improperly obtained assets and costs / expenses avoided –Other misconduct (e.g., conflicts of interest, insider trading, theft of trade secrets, etc.)

© Grant Thornton. All rights reserved. What is fraud? (continued) Public reports related to fraud occurrences –Association of Certified Fraud Examiners 2008 Report to the Nation –Occupational fraud schemes tend to be extremely costly –The median loss caused by occupational frauds $175,000 –More than 25% of the fraud involved losses of more than $1M Critical Perspectives on Accounting, 2010 –90% of the frauds occur at the senior executive level PCAOB proposed Auditing Standard indicates –Controls related to the preventions, identification, and detection of fraud often have a pervasive effect on the risk of fraud

© Grant Thornton. All rights reserved. What is fraud? (continued) Goals of fraud risk management –Understand fraud and misconduct risks that can undermine their business objectives –Reduce exposure to corporate liability, sanctions, and litigation –Achieve the highest levels of business integrity through sound corporate governance and intelligence, and internal policies and controls Risk Assessment Fraud Prevention Identification and Detection Risk Mitigation Reporting

© Grant Thornton. All rights reserved. Data analytics: Defined Data analytics is the science of examining raw data with the purpose of drawing conclusions about that information

© Grant Thornton. All rights reserved. Data analytics: Defined (continued) A data analytic aided program –Information technology and use of computer based audit techniques such as data analytics can significantly improve the effectiveness of a corporate fraud risk management program and corporation investigations The data analytics program can be generally outlined as: –Consideration of potential fraud schemes and scenarios –Assessment at various levels: globally (corporate-wide), significant business units, substantial account levels –Testing of the effectiveness of the internal policies and controls –On-going monitoring and evaluations on a periodic and random frequency to access performance and effectiveness

© Grant Thornton. All rights reserved. Data analytics: Defined (continued) Key benefits of data analytics –Rapidly evaluate large amounts of data which could mitigate fraud risks and/or detect fraud –Capable of analyzing large data set and oftentimes, 100% of the relevant data –Abilities to apply similar analysis routines to various data sets without excess development time

© Grant Thornton. All rights reserved. Data analytics: Defined (continued) How good is your data? –Data quality is essential to interoperability and should be evaluated based on: How do you verify the completeness or data? Accuracy Consistency on data formats, naming conventions and precision Do data sources triangulate? –Exportability and portability How easy can the data be exported? –Audit trail How much effort is required to uncover the change in data values and accountability of the changes?

© Grant Thornton. All rights reserved. Data analytics: Defined (continued) Data integrity –Data normalization and standardization is often required before computerize tools start analyzing corporate financial and transactional data

© Grant Thornton. All rights reserved. Data analytics: Practical use Examples of potential fraud risks in financial management system –Fraudulent financial reporting –General ledger –Misappropriation of assets –Asset management and asset retirement calculation –Unauthorized or improper receipt and expenditures –GL, Account payable, time and expense management, purchase care program –Management override of transactions –Transaction audit trails –Theft and improper use of material and resource –Asset management, inventory management and human resource

© Grant Thornton. All rights reserved. Data analytics: Practical use (continued) Journal entries (JE) / General ledger (GL) Account payable (AP) / Purchasing Account receivable (AR) / Sales Payroll / Human resource (HR) Time and expense / HR FCPA / Anti-bribery and corruption Sales and use tax Purchase card program Regulation and compliance

© Grant Thornton. All rights reserved. Data analytics: Practical use (continued) Industry agnostic Software license review Financial risk management Dispute resolution Healthcare regulatory compliance Pharmaceutical regulatory compliance (Medicaid pricing) Contract compliance Royalty audits Construction cost recovery Financial restatements Fraud risk management (Sub-prime lending) Financial investigations

© Grant Thornton. All rights reserved. Data analytics: Practical use (continued) Effective use of Benford's law –Benford's law has been providing investigators with a simple, yet effective, tool for detecting fraudulent transactions –Choose appropriate data sets that conform to the distribution –Consider large concentration of assigned numbers or firm-specific numbers –Verify upper and lower number boundaries

© Grant Thornton. All rights reserved. Data analytics: Practical use (continued)

© Grant Thornton. All rights reserved. Data analytics: Practical use (continued) User activity and accountability –Most established financial management systems have a built in function to record chronological sequence of activities. The logged records show who has accessed the system and what operations he or she had performed during a given period of time –Audit trail helps to identify fraudulent transactions based on User name or ID (e.g., unauthorized or blocked users) Entry timestamps (e.g., created or updated during questionable period of time) Volume of transactions (e.g.: unnecessary access) –Audit trail also assists on identifying management override of transactions and process flow

© Grant Thornton. All rights reserved. Data analytics: Practical use (continued)

© Grant Thornton. All rights reserved. Data analytics: Practical use (continued) Through continuous monitoring of the operations, controls and procedures, weak or poorly designed or implemented controls can be corrected or replaced A technology-aided anti-fraud program can be periodically executed and as frequent as needed Random execution and manual test review helps to enhance the quality of the program A real time "red flags" response system can alert management for immediately actions

© Grant Thornton. All rights reserved. Case study – Government agency anti-fraud program Directed and oversaw an anti-fraud program with regard to government grant disbursements related to disaster recovery The program involved development of a data repository and analytics to identify fraud, waste and abuse across several areas ranging from false claims, duplicate benefits, grant calculation verification, and construction-related fraud Large number of data sources and terabytes of data were accessed, on an on-going basis, to retrieve program related data from a variety of government and private agencies

© Grant Thornton. All rights reserved. Case study – Government agency anti-fraud program (continued) Data marshalling procedures were conducted on database servers and accounted for the normalization Approximately 3,500 data analytic routines and queries were executed against the data to identify anomalous and outlier data Weekly reports were compiled which outlined the current analytic results and the overall status of the program

© Grant Thornton. All rights reserved. Case study – Insurance company internal investigation Applied data analytics to claims data Performed analysis of 130,000+ transactions –5 years worth of data analyzed Work performed in ½ time 100% manual review Internal control weaknesses identified

© Grant Thornton. All rights reserved. Case study – Forensic in the audit program Grant Thornton is implementing a data analytics program helping external auditors to conduct a comprehensive analysis and identify potential "red flags" related to clients' accounting practices The program utilizes customizable analytical routines and queries to evaluate data records from clients' ledger systems

© Grant Thornton. All rights reserved. Wrap up / Q & A Sampling vs. complete review Rapid turn around with streamline reporting Cost matches client's need Flexible and fully customizable to specific industries