Fraud detection using analytics

Topics
Objectives
Overview
Analytic procedures
Exercises
Continuous auditing
Summarization and wrap-up

Fraud detection using analytics - objectives

Topics
Course Objectives
Case study overview
Course materials
Exercises
Recommended sequence
Home

Detection and investigation of Fraud

This is a case study regarding a fictitious mail order company where an allegation of
fraud has been received. A SAS 99 brainstorming session was held, and 11 critical
expectations were developed during that brain storming session. The case study can
generally be completed in about four hours.

Upon completion of this case study, participants will:

 Understand the application of summarization and why it is often useful to

highlight areas of possible concern
 Learn how to readily identify audit outlier amounts
 Understand how to implement "matching" to identify critical exceptions
 See how to quickly check for gaps in numeric sequences
  Understand and apply Benford's Law to items such as revenue, for the purpose
of determining reasonableness
 Know how to quickly identify all types of duplicates
 Extract just transactions with errors, according to auditor provided
specifications
 Isolate transactions with round numbers for further review
 Be able to check logs for transactions initiated during non-business hours
 Know how to summarize time line data using ageing in order to spot unusual
trends
 Check that separation of duties controls are effective

How this is done

Recommended steps are as follows:

 Read the narrative in order to gain an understanding of the environment being

audited (or watch to short video overview)
 Optionally, download the case study data (Excel 2003 workbook) - however all
the data needed is available online
 Select any or all of the short videos which demonstrate possible audit solutions
 Test your knowledge by re-performing the audit procedures (or using
alternative methods)

Hikers 'R Us Case Study

Recommended sequence

Recommended steps are as follows:

 Follow the steps, item by item, in the course outline

 Read the narrative in order to gain an understanding of the environment being
audited (or watch to short video overview)
 Optionally, download the case study data (Excel 2003 workbook) for review
(however, this step is not required because all the data is available online)
 Select any or all of the short videos which demonstrate possible audit solutions
 Test your knowledge by re-performing the audit procedures (or using
alternative methods)
 Course materials

All of the course materials are available on-line. These are included as links in the
course material.

The final module at the end of the course also includes a number of links to other
references of possible interest.

The online course material consists of simulated vendor and employee data suitable
for audit testing. The data is contained on a cloud server in a database. In order to
access this data, a proper user id and password must be provided. The user id for the
Fraud Detection course is "hru1" with a password of "hru1". The name of the
database to be specified is "hru". All of this information is provided without the
quotes and is case sensitive.

The login form is shown below.

Once a login has been successfully completed, a table should be selected from the
drop down list. This form appears as follows.

The course uses seven database tables as follows:

AR (customer receivables)
Call_Center (Call Center transactions)
Customer_Service (Customer Service authorizations)
Employee (Employee master file)
Refunds (Refunds issued)
Revenue (Sales transactions)
Treasury (Authorizations by the Treasury department
Case study exercises

"I hear and I forget. I see and I remember. I do and I understand." - Confucius

Overview

Performing exercises reinforces the concepts taught and better ensures that the auditor
will be able to apply the concepts learned in future audits.

Structure

Concepts are presented and discussed. Then an example of how to apply the concept
is presented. Following this an example exercise with instructions is presented in
order to test the participant's understanding of the concepts. Finally, the answer to the
exercise is also presented in order to compare the results obtained by the participant
with the suggested procedure.

Watching the exercise

When tutorials are presented, they may be accompanied by a video. These videos
have a control bar at the bottom of the video to navigate and control how the video is
presented. Click on the link below to view the process to control the videos using the
control bar.

Narration (2:03)
Fraud_Detection_Exercises_video.mp4
Case study overview
Hikers 'R Us Narrative

Overview

Founded in 1978, Hikers ‘R Us is the premier mail order firm supplying a wide range of quality
hiking and camping supplies and equipment. Almost all of the items are sold through mail order
to customers in the United States and Canada. The goods are imported from China. Hikers ‘R Us
has been profitable for some time. They have transitioned from doing business on paper through
several computer based systems.

Refund Policy

Hikers ‘R Us has a very liberal return policy so they will accept returns for almost any reason.
Returns have historically been low at around 1% of sales. A recent routine audit of sales returns
did not disclose any weaknesses or errors. Although revenues have been flat, returns have been
steadily increasing.

System Operations

The company uses the enterprise software from the Mexican software company “Sapo”. (Sapo
means toad in Spanish). Controls over cash refunds are very tight. First, the software system
itself performs extensive checking and cross-checking at every step in the refund process. The
computer system is housed in a highly secured area and physical access is severely limited.

The refund process begins when a customer contacts the call center in Leland, North Carolina.
Call center hours are 8:00 a.m. to 5:00 p.m. on business days – typically Monday through Friday
and excluding holidays. Calls come through an automated voice recording system where the
customer enters their account number. When a call center representative takes the call, the
customer’s account is brought up immediately in the Sapo system and the representative can
verify that the purchase was made. The call center representative then completes a form 2134 –
“Customer Refund Quest”. The original is a white page, which is filed in the Call Center in
numerical order. The yellow copy is forwarded to the Customer Service center where it is filed in
the customer’s account file. The third copy, pink, is sent to the Treasury Department. Sapo
includes a state of the art “work flow” system. The system logs all of the activity.

The work flow system assigns the call center information randomly to one of twenty customer
service center representatives. (Customer service center representatives are separate from the call
center staff). Each customer service center representative logs onto the Sapo system and
examines their work queue which consists of customer refund requests. The customer service
center representative then pulls the yellow copy of the refund request from the customer’s file,
verifies that the customer information is correct and then checks that the order refund request is
appropriate considering the purchase date and amount. The Sapo system maintains a history of
account activity for each customer.
Once the customer service center representative has completed the review, the yellow copy is
signed, dated and initialed and then returned to the customer file. The work queue is marked
complete and the Sapo system then assigns the request to a random employee in the Treasury
department for review and final approval.

The Treasury department is located in Ocracoke, North Carolina. They receive the pink copy of
the customer refund request, which is faxed from Leland. When each employee in Ocracoke logs
on the Sapo system, they review their work queue to see the customer refund requests that have
been assigned to them by the system. Each request in the system is then matched against the
faxed pink copy and the amounts are verified against the Sapo customer history file. They then
initial and date the fax form and file it in sequential order. When complete, they approve the
refund request in the work queue system. The next business day after the refund request has been
approved, checks are printed, burst, stuffed and mailed from the data center in Charlotte, North
Carolina.

Hot Line

The company has a “hot line” and recently received a number of calls (all but one were
anonymous) that an inside ring was stealing fairly significant amounts of money using the refund
process. Hikers ‘R Us recently implemented their “Window to the World” policy that all fraud
allegations would be detailed and publicized so that their shareholders, employees and vendors
would be able to see all allegations. This would serve as a deterrent to any fraudsters.

You contacted the one identified person making the allegation and found that he is now
completely uncooperative. All he would say is that as an employee, he is unhappy because
despite working hard, he has not gotten a raise in years. He also said he has spotted two Porsches
and three Hummers in the company parking lot that were not there before and wonders how
employees can afford these.

Refund Supervisor

The supervisor of refunds informs you that there is no problem. With the economy in bad shape,
people are cutting back on camping, but now seem less reluctant to ask for a refund. He said
some customers are definitely taking advantage of the liberal refund policy. He is also annoyed
that you are even asking about this, stating that he was just audited by Poe, Pollock and
Cartwright, a small regional auditing firm. The audit proved there were no problems. Due to
forced cutbacks his staff is now working overtime. With all that is going on he asks that any
further questions be cancelled or deferred.

Management Request

Management also doesn’t think there is a problem, but they would like for you to take a look.
You’ve decided to set up a “brain storming” session using the guidelines of SAS 99 and
suggested brainstorming approaches such as those recently published (selected articles on CD).
The brain storming sessions have been fruitful and identified a number of potential fraud risk
areas:

 Collusion in refund approvals

 Refunds made to employees
 Duplicate refunds
 Refunds in excess of the purchase amount

As a result of those brain storming sessions, the following expectations have been set out:

1. Because call center contacts are assigned randomly, each call center employee should
have roughly the same number of customer authorizations
2. The refund process typically takes 4 – 6 days from start to finish. There should be few
instances where the timeline is different
3. There should be few refunds made to employees
4. The Sapo system log of check numbers issued should contain no gaps
5. Because the refund amounts are based on actual sales, they should follow the pattern
expected using Benford’s law
6. There should be no duplicate refunds
7. There should be no refunds which exceed the purchase costs
8. Because refunds are based on actual sales, there should be few round number amounts
9. Since the call center is only open during regular business hours there should be no
approvals outside those hours
10. There should be a close correlation between sales and refunds
11. The separation of duties system is working as intended

IT Department

The computer division has a special group of analysts - Online Sales Consultants (OSC) who
routinely monitor the Sapo transactions in order to identify marketing trends, business
opportunities, etc. They have provided you with all the data for the last quarter. This data
consists of about 10,000 transactions which have been loaded into an Excel workbook and
broken out into five work sheets as follows:

1. Cusromer Refund

2. Call Center

3. Treasury

4. Accounts Receivable

5. Employee

Mission
Your mission, should you decide to accept it, is to look at these transactions and provide an
independent assessment to management regarding fraud risk.

Hint – there are too many transactions to perform a manual review.

Tasks – using the data provided, go through the risk areas identified. Determine if there are any
fraud indicators which might merit a further investigation.

Data in the Excel Work Book

The work book consists of six work sheets:

Employee – information about each employee, including name and address

Call Center – has a log of activity:

 CallDate
 Call Time
 Call Employee
 Customer
 Amount

AR – accounts receivable history information

 Customer
 Refund amount
 Call Employee
 Customer Balance

Treasury – information from the refund disbursements log, combined with customer refund
information

 Customer
 Refund amount
 Authorization
 Check Date
 Check Number
 Customer last name
 Customer first name
 Customer street address
 Customer City
 Customer State

Customer Service – logs from the customer service center

 Customer
  Refund amount
 Authorizer
 Authorization date
 Authorization time
 Customer last name
 Customer first name
 Customer street address
 Customer City
 Customer State

Refunds – All of the information above (except employee information) has also been combined
onto a single worksheet, should you wish to work with one worksheet instead of many.

Getting Started

For each of the eleven expectations, design a test to determine if the expectation has been met or
not. For example, the first expectation is that because the calls are assigned randomly in the call
center, there will be about the same number of calls handled by each employee.

Whether this is, in fact, the case, could be determined by preparing a summary of refunds by
employee.

Each of the other expectations can be checked using one or more of the tools discussed during
the session.

Possible approaches for checking expectations.

Expectation 1

1. Because the call center uses an automated system, each employee should be handling roughly
the same number of customer calls over the period of review.

Summarize call center log records by employee. Examine counts.

Expectation 2

2. The refund process typically takes 4 – 6 days from start to finish. There should be few
instances where the timeline is different

One approach is to prepare a data stratification based upon the number of elapsed days contained
in each transaction. This can be done either as a single step or as a two step process.

The two step process would involved having the system make a calculation as to the number of
days elapsed. The second step would be to do a data stratification using this calculated amount.

The single step process involves doing a data stratification on the calculated amount.
Expectation 3

3. There should be few refunds made to employees

This test can be performed by doing a match on last name and first name between the employee
master and the treasury log of checks issued. This will require the use of a macro and SQL code
to perform the match.

The SQL code should match up the work sheets Employee and Treasury in order to identify any
instances where two rows exist which meet the following conditions:

Same customer number

Employee last name is same as customer last name

Employee first name is same as customer first name

Expectation 4

4. The Sapo system log of check numbers issued should contain no gaps

A simple check is to run a gap test on the checks issued by the Treasury department. The check
would be made using the check number.

Expectation 5

5. Because the refund amounts are based on actual sales, they should follow the pattern expected
using Benford’s law

This test can be performed using Benford’s law on the refund amounts. It may also be instructive
to run a pattern analysis using Benford’s law, be employee to determine if any employees have
refunds whose Benford pattern differs significantly from that which is expected.

Expectation 6

6. There should be no duplicate refunds

Potential duplicates can be identified by specifying the names of the columns to be tested. For
example, customer, refund amount. Another example might be customer, check date.

Expectation 7

7. There should be no refunds which exceed the purchase costs

The refund amount (column “E” on the Combined work sheet) should always be less than the
customer balance (column “F”).
Expectation 8

8. Because refunds are based on actual sales, there should be few round number amounts

This can be tested using the round number analysis. Also, a pattern test can be used for
differences in round number amounts between customer service representatives. This test will
identify if any employee has a pattern of round number refunds which differs significantly from
those of all other employees.

Expectation 9

9. Since the call center is only open during regular business hours there should be no approvals
outside those hours

One check that can be performed is to look for transaction approvals outside normal business
hours. Several tests are available, such as population statistics and data extraction.

Expectation 10

10. There should be a close correlation between sales and refund

Possibly the first step is to simply plot the aggregate sales and refunds by day or week to
determine the overall trend, and correlation, if any.

This step can be refined by looking at individual employees, possibly focusing on those with the
largest dollar amount of refunds.

Expectation 11

11. The separation of duties system is working as intended

One test that could check for separation of duties is to check for any of the following conditions:

Check for call center employee = customer service employee

Check for call center employee = treasury employee

Check for treasury employee = customer service employee

All three department employees are the same

It is also possible to determine instances of potential collusion by determining if any particular

combination of approvers is much more common than the rest. This can be done by summarizing
refunds by all three employees. The results of the summary, expressed as counts, can then be
sorted in descending order. From this list, it can be determined if any one combination (or group
of combinations) is much more prevalent than would be expected.
Investigation objectives
Audit Objectives
The SAS 99 brain storming session identified eleven expectations. Each of these
expectations should be tested. The eleven objectives are summarized below, each with
a link to a brief tutorial explaining how the audit objective can be met.

Expectation - 1

Because the call center uses an automated system, each employee should be handling
roughly the same number of customer calls over the period of review.

Expectation - 2

As the refund process is largely automated, the length of time from when the call
comes in until the refund is issued will be 4 - 6 business days.

Expectation - 3

Most employees can purchase hiking goods at a substantial discount through a payroll
deduction plan. Because these terms are very attractive, refunds are not made to
employees. It is expected that very few, if any, employees will receive refunds.

Expectation - 4

Because the disbursement system is almost 100% automated, the check register
should be complete with no gaps in check numbers of refunds issued.

Expectation - 5

Because the refund amounts are the result of computations, their distribution should
generally follow that expected using Benford's Law.

Expectation - 6

Because of all the validation controls in the system, there should be no duplicate
refunds issued to customers.

Expectation - 7
As the system is automated, there should be no instances where a customer is
refunded an amount greater than the amount the customer actually paid for the goods.

Expectation - 8

because of the pricing amounts and sales tax, it should be quite unusual for there to be
round numbers in refund amounts.

Expectation - 9

As the business is open only during standard business hours, there should be few, if
any, approvals outside of normal business hours.

Expectation - 10

As refunds tend to lag sales, there should be a general correlation between sales and
refunds, particularly as to trends.

Expectation - 11

The key control of separation of duties is enforced by the system and should be
operating as intended.
Performing Analytical Procedure

The decision as to which type of analytical procedure is appropriate for a particular

type of analysis can be facilitated by the decision tree shown below. Starting the first
row, answer each question with either a Yes or a no and then proceed to the next step.
Steps consist of numbers and procedures are identified by letters. Following this
process, a potential analytical procedure applicable to a particular investigative
objective may be helpful.
Note that the procedures covered in this coure are highlighted in green at the bottom.

Step Question Yes No

1 Analysis is primarily based upon amounts? 6 2
2 Analysis is primarily based on dates? 8 10
3 Analysis based upon classification of amounts? 21 4
4 Analysis based on characteristics of numbers? 11 14
6 Is the primary objective related to planning? 14 7
Is the primary objective related to identification
7 A 3
of specific error conditions
Are there specific dates or days of the week of
8 9 18
interest?
9 Are transactions on holidays needed? H I
10 Will tests for duplicates meet objectives? B 18
11 Will round numbers play a significant role? Q 12
12 Test for "made up" numbers? J 13
Will extreme values be helpful - largest or
13 M 24
least?
14 Data summarization needed? S 15
15 Control totals needed? R 16
16 Overall classification of the population? 21 17
21 Classification with "by" variable K 22
22 Stratification by numeric ranges? L N
17 Selection of a random sample P V
18 Can ageing analysis support the objective? 19 20
19 Overall population ageing helpful? C D
20 Test for missing dates? E 23
Looking for transaction within specific date
23 F,G V
ranges
24 Check for missing numeric sequence values O 25
25 Will tests for linear relations help? T 26
Can testing for same, same, different be
26 U V
applied?
- Analytic Procedures
A Data extract
B Duplicates
C Ageing
D Ageing by Value
E Date Gaps
F Date Near
G Date Range
H Holiday Dates
I Date Selection
J Benford's Law
K Cross Tabulation
L Data stratification
M Extreme Values
N Histogram
O Numeric Sequence Gaps
P Random Sample
Q Round Numbers
R Statistics
S Summarization
T Linear regression
U Same, Same, different
V Single SQL Statement
 Analytic procedures
The types of analytic procedures that could be used will vary based upon the
objectives of the investigation. Outlined below are some of the key types of analytics
that could be deployed.
Expectation - 1
Because the call center uses an automated system, each employee should be handling
roughly the same number of customer calls over the period of review.
Summarization procedure.
Expectation - 2
As the refund process is largely automated, the length of time from when the call
comes in until the refund is issued will be 4 - 6 business days. Data extraction.
Expectation - 3
Most employees can purchase hiking goods at a substantial discount through a payroll
deduction plan. Because these terms are very attractive, refunds are not made to
employees. It is expected that very few, if any, employees will receive refunds. Data
extraction.
Expectation - 4
Because the disbursement system is almost 100% automated, the check register
should be complete with no gaps in check numbers of refunds issued. Sequence gaps.
Expectation - 5
Because the refund amounts are the result of computations, their distribution should
generally follow that expected using Benford's Law.
Expectation - 6
Because of all the validation controls in the system, there should be no duplicate
refunds issued to customers. Duplicates.
Expectation - 7
As the system is automated, there should be no instances where a customer is
refunded an amount greater than the amount the customer actually paid for the goods.
Data extraction.
Expectation - 8
Because of the pricing amounts and sales tax, it should be quite unusual for there to be
round numbers in refund amounts. Round numbers.
Expectation - 9
As the business is open only during standard business hours, there should be few, if
any, approvals outside of normal business hours. Data extraction.
 Expectation - 10
As refunds tend to lag sales, there should be a general correlation between sales and
refunds, particularly as to trends. Trend lines.
Expectation - 11
The key control of separation of duties is enforced by the system and should be
operating as intended. Data extraction.
 Data structure
Data for Hikers 'R Us is contained in seven tables which are more fully described
below. The tables are:

1. Refunds
2. Accounts Receivable
3. Call Center Employees
4. Treasury (Paid refund checks)
5. Call Center activity
6. Customer Service
7. Revenue

Refunds
Field Type Null Key Default Extra
Call_Date date Date the call came in
Call_Time time Time the call came in
Initials of the call center
Call_Center_Employee varchar(50)
employee
Customer varchar(50) Customer number
Amount decimal(10,2) Amount of refund
Balance on customer's
Customer_Balance decimal(10,2)
account
Treasury_Auth varchar(50) Approval id in Treasury
Check_Date date Date of refund check
Check_Number int(11) Refund check number
Lastname varchar(50) Customer last name
Firstname varchar(50) Customer first name
Address varchar(50) Customer street address
City varchar(50) Customer City
CSState varchar(5) Customer State
Customer Service
Cust_Serv_Auth varchar(50)
Approver
CS_Auth date Date of authorization
Auth_Time time Time of authorization
Sales_date date Date of sale
Accounts Receivable
Field Type Null Key Default Extra
Customer varchar(20) Customer number
Refund_Amount decimal(10,2) Refund Amount
Customer account
Customer_Balance decimal(10,2)
balance
Call Center Employees
Field Type Null
LASTNAME varchar(50) Employee last name
FIRSTNAME varchar(50) Employee first name
MIDNAME varchar(50) Employee middle initial
DOB date Date of birth
ADDRESS varchar(50) Address
CITY varchar(50) City
ESTATE varchar(50) State
ZIP varchar(50) Zip Code
Phone varchar(50) Telephone number
Call Center Activity
Field Type Null Key Default Extra
Call_Date date Date call came in
Call_Time time Time call came in
Call_Employee varchar(20) Employee initials
Customer varchar(20) Customer number
Amount decimal(10,2) Refund amount
Sales_Date date Sales dates
Customer Service
Field Type Null Key Default Extra
Customer varchar(20) Customer number
Refund_Amount decimal(10,2) Refund amount
Auth varchar(20) Approver id
Auth Date date Approval date
Auth Time time Approval time
Revenue
Field Type Null Key Default Extra
Customer varchar(20) Customer number
Invoice_Amount decimal(10,2) Invoice amount
Auth varchar(20) Approver
Sales_Date date Invoice date
Invoice_Number integer Invoice number
Last_Name varchar(20) Last name
First_Name varchar(20) First name
Address varchar(20) Address
City varchar(20) City
State varchar(20) State
ZIP varchar(20) Zip Code
Phone varchar(20) Phone number
Treasury
Field Type Null Key Default Extra
Customer varchar(20) Customer number
Refund_Amount decimal(10,2) Refund amount
Auth varchar(20) Approver
Check_Date date Refund check date
Check_Number int(11) Refund check number
Last_Name varchar(20) Customer last name
First_Name varchar(20) Customer first name
Address varchar(20) Customer address
City varchar(20) Customer city
State varchar(20) Customer State
ZIP varchar(20) Customer zip code
Phone varchar(20) Phone number
Summarization as an analytical tool
Data summarization can be an effective analytical tool which is very useful in fraud
investigations. There is one investigation objective which can be met using
summarization:
Expectation - 1

Because the call center uses an automated system, each employee should be handling roughly the
same number of customer calls over the period of review.
Click on the video link below to see an overview of the process to summarize data
Length 3:00
Fraud_Detection_Summarization_su1.mp4

Click on the video link below to see a demonstration of the process to summarize
data Length 4:39

Fraud_Detection_Summarization_su2.mp4
Data extraction as an analytical tool
Data extraction is a powerful analytical tool which is very useful in fraud
investigations. It allows for the testing of specified conditions on a 100% basis. There
are three expectations which can be tested using data extraction.
Expectation 2

As the refund process is largely automated, the length of time from when the call comes in until
the refund is issued will be 4 - 6 business days.
Expectation 3

Most employees can purchase hiking goods at a substantial discount through a payroll deduction
plan. Because these terms are very attractive, refunds are not made to employees. It is expected
that very few, if any, employees will receive refunds.
Expectation 7

As the system is automated, there should be no instances where a customer is refunded an

amount greater than the amount the customer actually paid for the goods.
Click on the video link below to see a demonstration of the data extraction process.
Length 3:31
Fraud_Detection_Data_extraction_de.mp4

Data extraction for the purpose of identifying errors.

Length 4:16
Fraud_Detection_Data_extraction_de2.mp4
Selection of round numbers
Round numbers are often an indication of estimates, which may or may not be
appropriate, depending upon the circumstances. In some cases, round number
amounts are a "red flag" There is one investigation objective which can be met by
testing for round numbers.
Expectation - 8

Because of the pricing amounts and sales tax, it should be quite unusual for there to be
round numbers in refund amounts.
Click on the video link below to see audit uses for round number tests.
Length 2:19
Fraud_Detection_Selection_of_round_number_transactions_rn.mp4

Click on the video link below to see a demonstration of the process to identify round
numbers.

Length 3:17

Fraud_Detection_Selection_of_round_number_transactions_rn2.mp4
Trend line analysis - spotting the unusual (2:57)
Trend lines indicate the norm or expectation. Fluctuations, "spikes" etc. can indicate a
"red flag" which should be investigated. There is one investigation objective which
can be met using trend lines:
Expectation - 10

As refunds tend to lag sales, there should be a general correlation between sales and refunds,
particularly as to trends.
Trend line analysis can be done by first summarizing data by date using the ageing function and
then comparing and plotting that data using Excel.
Click on the video link below to see a demonstration of the process to summarize data.
Length 2:27
Fraud_Detection_Trend_analysis_spotting_the_unusual_2_57_tr0.mp4

Gaps - what you see is interesting, what you

DON'T see is critical
Gaps in numeric sequences (or date sequences) can indicate missing data. There is one
investigation objective which can be met using gaps:
Expectation - 4

Because the disbursement system is almost 100% automated, the check register should be
complete with no gaps in check numbers of refunds issued.
Click on the video link below to see a demonstration of the process to identify missing document
numbers through the use of the numeric sequence gaps function.
Length 2:29
Fraud_Detection_Gaps_what_you_see_is_interesting_what_you_DON_T_see_is_crit
ical_2_29_gp0.mp4
Odd hour transactions
Transactions performed at odd hours should also be investigated, in many cases.
There is one investigation objective which can be met using tests based upon
transaction times:
Expectation - 9

As the business is open only during standard business hours, there should be few, if any,
approvals outside of normal business hours.
Click on the video link below to see a demonstration of the process to check for specific
transaction times.
Length 3:34
Fraud_Detection_Odd_hour_transactions_3_34_time.mp4

Liars and outliers

Often the largest (or smallest) transactions are of interest. Although there is no
specific investigation objective involving the identification of largest amounts, this
information is often useful.

Identify the five largest and smallest invoices. Secondarily, narrow the test to invoices
originating from vendors in California.
Click on the video link below to see a demonstration of the process of identifying the largest
amounts from a population of transactions or other data.
Length 4:00
Fraud_Detection_Liars_and_outliers_4_00_ol.mp4
Benford's Law - looking out for number one
Benford's law is a classic approach to the identification of "made up" amounts. There
is one investigation objective which can be met using Benford's Law:
Expectation - 5

Because the refund amounts are the result of computations, their distribution should generally
follow that expected using Benford's Law.
Click on the video link below to see a an overview of Benford's law.
Length 8:29
Fraud_Detection_Benford_s_Law_looking_out_for_number_one_8_29_ben.mp4

Click on the video link below to see a demonstration of the process to test the
application of Benford's law.

Length 2:51

Fraud_Detection_Benford_s_Law_looking_out_for_number_one_8_29_ben1.mp4
EXERCISE 1 - SUMMARIZATION

The first expectation was that the number of refunds issued would be roughly the
same per customer service representative because the system has an automated system
for assignment of calls to representatives and each representative would spend
approximately the same time with each customer, on average.

This expectation can be tested by summarizing the refund amounts by call center
representative and looking at the results obtained. In order to do this, the following
steps should be taken:

1. Browse to the URL http://webcaat.org/webcaat/

2. Sign into the system using the id 'hru1' and the password 'hru1'
3. Specify a database of 'hru' (not test)
4. Click the "sign in" button
5. Select the table 'Refunds' from the drop down list
6. Select the menu item 'Numeric functions | Summarization'
7. Enter the information in to be summarized
8. Click the "Process" button
9. View the results

Were the results as you expected?

Which employee had the largest number of transactions and dollar amount of
transactions?

Were they significantly different from the others?

What plausible explanations are there be for this?

Answer to exercise

Next exercise
 Exercise 1 - Data Summarization (answer)

Click the video below to see the answer to this exercise. Length 3:12

Fraud_Detection_Answer_Exercise_1_3_12_ex1.mp4
Exercise 2 - Data extraction

Data extraction can be used to check several of the expectations. The first of these
expetctations are that the number of elapsed business days is 4 - 6 for refund checks to
be issued once the refund request has come in.

This expectation can be checked by having the system examine the elapsed days
between the date the check is issued and the date that initial request was received and
approved in a phine call.

In order to determine the number of elapsed days between two dates, the built in
MySQL function "datediff" can be used.

To make this determination use the menu item "Numeric Functions|Statistics" and
enter the following information into the "where (criteria) box:
datediff(Check_Date,Call_Date) not between 4 and 6.

This statement, in English, means summarize all the refund amounts where the
difference between the check date and the call date were not between 4 and 6.

After you have run this test, provide the following information.

How many transactions did not have a check issued within 4 - 6 days after the call
date?

How many were earlier?

Were there any transactions that seem highly unusual? Why?

Answer - Exercise 2 (Length of time for refunds) (4:59)

Length 4:59
Fraud_Detection_Answer_Exercise_2_4_59_ex2.mp4
Exercise 3 - Round numbers

There was an expectation that refund amounts should generally not be round numbers
because the amount of the refund is based on the actual sales price plus tax and
shipping.

This can be tested using the following steps:

1. Sign in to the Web CAAT application at http://webcaat.org/webcaat/

2. Select the table "Refunds"
3. Use the menu item "Numeric tests | round numbers"
4. Test the refund amount
5. Click "Process"

How many round number refund amounts were there?

Answer - Exercise 3 Round numbers

Click on the link below to see the exercise done.

Length 2:20
Fraud_Detection_Answer_Exercise_3_2_20_ex3.mp4
Exercise 4 - Trend Analysis

One of the expectations was that there should be a general correlation between the
number and amount of refunds and the amount of sales. This is based upon the
reasoning that the percentage of refunds will tend to remain constant.

One of the tests for this is to simply see what the trend has been for sales over the
recent period and then compare that trend with refunds which have been issued.

This can be accomplished using the ageing function and the following steps:

To determine the refund trend:

1. Sign on to the system at http://webcaat.org/webcaat/

2. Select table "Refunds"
3. Age the refund amount by date, e.g. Call date
4. Use the refund amount as the basis for ageing
5. Select an ageing date of '2008-06-30'
6. Select an ageing bucket of 30
7. Run the report

To determine the sales trend:

1. Select the Revenue table

2. Age revenue transactions based on sales date
3. Use criteria similar to that used for Refunds
4. Run the report

What was the trend for Sales?

What was the trend for Refunds?

Does any of this seem suspicious? Why?

Answer - Exercise 4 Trend line analysis

Length (6:26)
Fraud_Detection_Trend_analysis_spotting_the_unusual_2_57_tr0.mp4
Exercise 5 - Gaps

Because the company uses an automated system to issue refund checks, they have the
expectation that the refund checks are issued using sequentially numbered checks.
Thus, one of the expectations is that a test of the check numbers for refund checks will
not disclose any missing check numbers. This can be tested by using the following
procedure:

1. Sign in to the system at http://webcaat.org/webcaat/ (id 'hru1' , password 'hru1'

and database 'hru'
2. Select the table named "Refunds"
3. Use the menu item "Numeric functions | Numeric Sequence Gaps"
4. Select the numeric column which has the value to be tested (check number)
5. Click "Process"

What did your analysis show?

Is the system working properly?

Answer - Exercise 5 Gaps (2:04)

Length 2:04
Fraud_Detection_Answer_Exercise_5_2_04_ex4.mp4
Exercise 6 - Identify "odd" hour transactions
Exercise 6 - Identify "odd" hour transactions

One of the expectations developed was that there should be no transaction

authorizations outside of normal business hours. The business operates five datys a
week between 8:00 a.m. and 5:00 p.m. and they do not accept calls outside those
hours. Therefore there should be no authorizations for refunds outside of these hours.

This can be tested using the following procedure:

1. Log in to the system at http://webcaat.org/webcaat/

2. Select the table "Refunds"
3. Use the menu function pertaining to date functions and Date Selection
4. Specify the days of the week to test
5. Specify the hours of the day to test
6. Specify the "and" operation
7. Click "Process"

Did your analysis confirm that there are no authorizations outside of regular business
hours?

If there were authorizations outside of normal business hours, during what time did
they occur?

Answer - Exercise 6 (4:27) Length 4:27

Fraud_Detection_Answer_Exercise_6_4_27_ex6.mp4
Exercise 7 - Liars and Outliers

For this exercise determine the five largest refunds issued overall as well as the five
largest refunds approved by the call center representative "CF". This can be
accomplished by performing the following steps:

1. Log in to the system at http://webcaat.org/webcaat

2. Select the table "Refunds"
3. Select the menu item "Numeric functions | extreme values"
4. Select the column "Refund amount"
5. Click "Process"

To find the five largest refunds issued by the call center representative "CF" it will be
necessary to provide criteria which limits the test to just those transactions handled by
"CF". That criteria would be specified as follows:

`Call_Center_Employee` = 'CF'

Note that the column name for call center employee contains blanks so therefore it
must be enclosed by opening apostrophes - this character is found in the upper left
portion of the keyboard just to the left of the number "1" key. The initials of the
employee should be enclosed in a single apostrophe.

Take care in entering this criteria information, otherwise an error will occur. (You
may want to copy and paste this text into the Criteria box on the form).

What was the largest refund amount approved and issued by this employee?

Answer - Exercise 7 Liars and Outliers (7:32)

Length 7:32
Fraud_Detection_Answer_Exercise_7_7_32_ex7.mp4
Exercise 8 - Looking out for #1

The purpose of this exercise is to test the expectation that refund amounts will
generally conform with the amounts predicted by Benford's Law. The reason for the
expectation is that refund amounts are based on actual sales amounts which have a
fairly high range from low to high and are based upon calculated amounts. Also, there
is no single "best seller" that would tend to skew the dollar amounts.

The test of this expection can be performed using the following steps:

1. Sign in to the system at http://webcaat.org/webcaat

2. Select the table "Refunds"
3. Use the Menu item "Numeric Procedures | Benford's Law"
4. Select the column to be tested of "Refund_Amount" from the drop down list
5. Use a Benford test type of "F1" which is also selected from the drop down list.
6. Click the "Process" button.

What was the Chi Square value obtained?

Does it appear that the refund amounts do in fact follow Benford's Law?

Answer - Exercise 8 Looking out for number one Length 3:51

Fraud_Detection_Answer_Exercise_8_3_51_ex8.mp4
 Setting up an electronic audit program
In this section, the basics of setting up an electronic audit program to enable the tests
performed in this course to be performed on a repetitive automated basis are covered.

The steps in setting up an electronic audit program are as follows:

1. Develop a narrative audit program as a text document. This document should

be generally similar in format to that of existing audit programs.
2. Insert special instruction markers within the document in order to format and
sequence the steps in the audit program.
3. Import the document as an audit program using the menu item.
4. Develop the scripts for the automated program steps. These will consist of pairs
of scripts. The first script will prompt for the information required to perform
the step. The second script will take the input information, run the program step
and display the results.
5. Save the scripts developed and note the names assigned to the script files.
6. Assign the script file names developed to the audit program steps.
7. Test the electronic audit program to ensure it functions as intended.

The short video narratives in this section walk through the process used to develop
and implement an electronic audit program for the specific program steps in this
exercise to investigate and detect fraud.
Click on the link below to see an overview of the process
Length: 2:04