Singh 2016

Managerial Auditing Journal
Interactive visual analysis of anomalous accounts payable transactions in SAP

enterprise systems
Kishore Singh Peter Best
Article information:
To cite this document:
Kishore Singh Peter Best , (2016),"Interactive visual analysis of anomalous accounts payable
transactions in SAP enterprise systems", Managerial Auditing Journal, Vol. 31 Iss 1 pp. 35 - 63
Permanent link to this document:
http://dx.doi.org/10.1108/MAJ-10-2014-1117
Downloaded on: 02 February 2016, At: 01:50 (PT)
Downloaded by New York University At 01:50 02 February 2016 (PT)
References: this document contains references to 65 other documents.

To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 60 times since 2016*
Users who downloaded this article also downloaded:
Hala M. G. Amin, Ehab K. A. Mohamed, (2016),"Auditors’ perceptions of the impact of continuous
auditing on the quality of Internet reported financial information in Egypt", Managerial Auditing
Journal, Vol. 31 Iss 1 pp. 111-132 http://dx.doi.org/10.1108/MAJ-01-2014-0989
Lucian Cristian Eni, (2016),"Considerations regarding the design of an online collaborative
audit system", Managerial Auditing Journal, Vol. 31 Iss 1 pp. 64-86 http://dx.doi.org/10.1108/
MAJ-01-2014-0984
Aapo Länsiluoto, Annukka Jokipii, Tomas Eklund, (2016),"Internal control effectiveness – a
clustering approach", Managerial Auditing Journal, Vol. 31 Iss 1 pp. 5-34 http://dx.doi.org/10.1108/
MAJ-08-2013-0910
Access to this document was granted through an Emerald subscription provided by emerald-
srm:198285 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald
for Authors service information about how to choose which publication to write for and submission
guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as
well as providing an extensive range of online products and additional customer resources and
services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the
Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for
digital archive preservation.
*Related content and download information correct at time of
download.
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/0268-6902.htm
Interactive visual analysis of SAP

enterprise
anomalous accounts payable systems
transactions in SAP enterprise
systems 35
Kishore Singh and Peter Best
Accounting, Finance and Economics, Griffith University,
Nathan, Australia
Abstract
Purpose – The purpose of this paper is to demonstrate the technical feasibility of implementing
multi-view visualization methods to assist auditors in reviewing the integrity of high-volume
accounting transactions. Modern enterprise resource planning (ERP) systems record several thousands
of transactions daily. This makes it difficult to find a few instances of anomalous activities among
legitimate transactions. Although continuous auditing and continuous monitoring systems perform
substantial analytics, they often produce lengthy reports that require painstaking post-analysis.
Approaches that reduce the burden of excessive information are more likely to contribute to the overall
effectiveness of the audit process. The authors address this issue by designing and testing the use of
visualization methods to present information graphically, to assist auditors in detecting anomalous and
potentially fraudulent accounts payable transactions. The strength of the authors’ approach is its
capacity for discovery and recognition of new and unexpected insights.
Design/methodology/approach – Data were obtained from the SAP enterprise (ERP) system of a
real-world organization. A framework for performing visual analytics was developed and applied to the
data to determine its usefulness and effectiveness in identifying anomalous activities.
Findings – The paper provides valuable insights into understanding the use of different types of
visualizations to effectively identify anomalous activities.
Research limitations/implications – Because this study emphasizes asset misappropriation,
generalizing these findings to other categories of fraud, such as accounts receivable, must be made with
caution.
Practical implications – This paper provides a framework for developing an automated
visualization solution which may have implications in practice.
Originality/value – This paper demonstrates the need to understand the effectiveness of
visualizations in detecting accounting fraud. This is directly applicable to organizations investigating
methods of improving fraud detection in their ERP systems.
Keywords Fraud, Business intelligence, Visualization, Audit trail analysis, Continuous monitoring,
Continuous auditing
Paper type Research paper
1. Introduction
Modern integrated enterprise resource planning (ERP) systems are capable of recording
several thousands of transactions daily. This makes it difficult to find a few instances of Managerial Auditing Journal
anomalous activities among legitimate transactions. For large organizations operating Vol. 31 No. 1, 2016
pp. 35-63
in an evolving global digital marketplace, this means monitoring hundreds of thousands © Emerald Group Publishing Limited
0268-6902
of transactions and then investigating suspicious ones in-depth. This may involve DOI 10.1108/MAJ-10-2014-1117
MAJ considerable expense. The demand for systems that continuously monitor transaction
31,1 data is growing as organizations become more complex, demand more integrated
business processes and acquire a global footprint (Vasarhelyi et al., 2010). The objective
of continuous auditing and continuous monitoring (CA/CM) systems is to provide
constant surveillance of transaction data on a real- or near real-time basis – against a set
of predetermined rule sets (Kuhn and Sutton, 2010). Such systems automate standard
36 audit processes and procedures (Vasarhelyi et al., 2012; AuditNet, 2012; Kotb and
Roberts, 2011), thereby enabling compliance personnel to provide a degree of assurance
on information shortly after disclosure (Rezaee et al., 2002). Consequently, as the number
of technology-enabled businesses continue to grow, new needs arise for continuous
auditing and monitoring concerning: changes in the environment and industry, the
existence and effectiveness of controls, increased human resource risks, increased use of
outsourced processes, process continuity and integrity and coherence between
endogenous and exogenous factors (Vasarhelyi et al., 2004).

Despite the fact that CA/CM systems perform substantial data analytics, they often
produce lengthy reports that require painstaking post-analysis. This issue, often identified
in the literature as information overload (Alles et al., 2008, 2006; Kuhn and Sutton, 2006),
indicates that simple blind querying of data is insufficient. Approaches that reduce the
burden of excessive information are more likely to contribute to the overall effectiveness of
the audit process. One method is to use visualization to present information graphically
(Gleicher et al., 2011; Fetaji, 2011; Liang and Miranda, 2001; Eick, 2000).
Visualization is a general term used to describe any technology that enable users to “see”
information to help them better understand and put it into an appropriate context (Graphviz,
2010; TechTarget, 2010; Song, 2000; Herman et al., 2000). Market-leading audit software
tools such as ACL (Audit Command Language) incorporate some visualization features (e.g.
charts) along with those associated with data manipulation (e.g. joining multiple files,
sorting), data analysis (e.g. stratification, summarization), audit sampling and reporting.
More broadly, visualization methods go beyond the use of standard charts and graphs,
displaying data in more sophisticated ways such as dials and gauges, node-link maps, heat
maps, tree maps and detailed bar and pie charts (Jinson and Mao Lin, 2013). Patterns, trends
and correlations that may potentially go undetected in text-based data can be exposed and
recognized with less effort. Visualizations help an auditor make sense of large data sets. Its
strength lies in its capacity for discovery and the recognition of new insights that are
unexpected by users. High volume data may be visualized as a collection of points in
two-dimensional space using one or several techniques mentioned above (Gansner et al.,
2010; Ghoniem et al., 2005).
In this research, we develop a prototype providing a multi-view visualization
approach that assists auditors in reviewing the integrity of a large number of accounts
payable transactions, and detecting potentially fraudulent activity. This paper extends
the earlier work of Singh et al. (2013), who developed a model for the detection of vendor
fraud in enterprise system audit trails. This paper demonstrates the technical feasibility
of generating visual methods to complement processes and techniques embedded in
CA/CM systems. The paper is arranged as follows. Section 2 presents related literature
in the area of visualization. Section 3 describes the research methodology applied,
including task analysis, system design, prototype implementation and testing. Section 4
discusses contributions and limitations of the study, and finally, we offer concluding
comments and future directions for visualization research in Section 5.
2. Related literature SAP
Early and efficient detection of anomalous activities often coincides with the analysis of enterprise
complex networks (referred to as graphs in scientific literature) (Di Giacomo et al., 2010). systems
Visually representing such networks may convey useful information that helps auditors
mine relevant patterns (Didimo and Liotta, 2006). In the context of anomaly detection,
several approaches for visual analysis of suspicious activities are discussed in the
extant literature. 37
Tory and Moller (2004) review methodologies for conducting human factors
research, with a specific emphasis on visualization. They summarize a number of
mechanisms by which visualizations can provide cognitive support, including:
• increased resources such as storing large volumes of data in an accessible form;
• reduced search by representing large volumes of data in a small space;
• enhanced recognition such as allowing higher level patterns to be recognized;

• perceptual monitoring allowing monitoring a large numbers of potential events;
and
• manipulable medium, by allowing the user to manipulate the organization of data
to recognize different patterns.
These mechanisms are of particular relevance to the detection of fraud in large ERP
systems.
Wang et al. (2008) developed an interactive visual analytics system to explore the
Global Terrorism Database. The system is designed around depicting the most
fundamental concepts in investigative analysis, the five Ws (who, what, where, when
and why). They informally evaluated this approach and found that the system was
capable of assisting an analyst in building an integrated understanding of terrorist
activities. Huang et al. (2009) proposed a new visualization approach specifically
designed to solve the fraud detection problems in financial markets. Their visualization
framework used a 3D Treemap to perform visual surveillance of stock market and
behaviour-driven visualizations to analyse stock trading networks of suspicious
transactions. The system identifies fraud by performing pattern recognition to similar
others in a pattern database.
Chang et al. (2007) presented the WireVis system, which is specifically tailored for
visual analysis of financial wire transactions. This system assists analysts in exploring
large numbers of wire transactions and it combines keyword network views, heat maps,
search-by-example and Strings and Beads visualization. Tang et al. (2010) presented a
social network analysis approach to help detect financial crimes. They described the
relationship between detecting financial crimes and the social Web and demonstrated
the application of social network analysis techniques to find suspicious online financial
activities. Both the methodologies of Chang et al. (2007) and Tang et al. (2010) use charts
and plots; however, they make little use of graph visualizations. Di Giacomo et al. (2010)
presented V4F. This system was designed to assist an analyst to easily correlate data
and to discover complex networks of potentially illegal activities. The system uses
graph visualizations. Didimo et al. (2011) extended the V4F system. Their work, VisFan,
is an interactive visual analysis system for discovering financial crimes such as money
laundering and frauds. The system makes use of clustering and other techniques for
MAJ visual exploration of complex social networks. VisFan combines several paradigms and
31,1 uses a force-directed drawing technique to produce graph visualizations.
Dilla et al. (2010) present a taxonomy for examining the state of interactive data
visualization research related to decisions made by accountants and auditors. The
authors identify a wide number of research gaps and future research opportunities,
including using the results of earlier research on search processes used by accounting
38 professionals to build visualization designs and prototypes, and test their effectiveness,
and examining the efficacy of interactive visualization techniques for specific tasks,
including fraud detection. This is the strategy adopted in this research.
Wang et al. (2012) proposed RiskVA, an interactive visual analytics system tailored
to support credit risk analysis. Their system supports interactive data exploration and
information correlation over a large corpus of credit data. This enables analysts to
compare the performance of credit products via visually revealing market fluctuations
and temporal trends of the targeted credit products.

Argyriou et al. (2013) proposed a system to detect occupational fraud in business
systems. In their system, entity pairs such as employee– client involved in fraud are
detected. The main visualization in this system consists of a spiral axis on which the
data are mapped based on time of occurrence. Periodic events such as an employee
possibly falsifying an invoice appear suspicious and need further investigation. Their
methodology, however, does not use graph visualizations. Commercial systems that use
graph visualization tools include i2 Analyst Notebook (IBM, 2014), Netmap (NetMap,
2014), Modeler (DataWatch, 2014) and Xanalys Link Explorer (Xanalys, 2014). These
applications all implement classical layout algorithms to represent relational data, like
force-directed algorithms, hierarchical layout algorithms and circular drawing
algorithms (Battista et al., 1998).
This research adopts a user- and task-based design approach (Tory and Moller,
2004). This requires determination of the tasks the user wants the system to support.
Common fraud schemes, preventive measures and symptoms (“red flags”) are
well-documented (Albrecht et al., 2009; Singleton et al., 2008; Lanza, 2007, 2003; O’Gara,
2004; Greene, 2003a; Little and Best, 2003; ACFE, 2012; Wells, 2011). The objective is to
use this knowledge base and design visualization methods that capitalize on the
mechanisms that can potentially provide cognitive support for the detection of accounts
payable fraud in ERP systems: storing large volumes of data in an accessible form,
facilitating efficient search of data and recognition of patterns, allowing monitoring of
large numbers of transactions and allowing the user to modify the search interactively
(Tory and Moller, 2004). This research approach determines system requirements based
on the tasks that users need to perform. It focuses on detection of accounts payable fraud
in SAP systems, and potential symptoms such as breaches in segregation of duties (SoD)
principles, flipping of bank accounts and sharing of bank accounts.
The multi-view approach adopted in this research assists auditors in exploring large
accounts payable transaction data tables. The method is interactive and it makes use of
regular structured query language (SQL) queries to produce filtered data sets, an
interactive dashboard that provides a high-level overview of various activities
performed and graph visualizations that show relationships among users, vendors and
transactions. This approach filters and aggregates an enormous amount of transaction
data efficiently and enables an auditor to promptly identify relationships or patterns in
data that would otherwise be difficult to accomplish in textual data. We test a prototype
using real-world transaction data from a large multi-national manufacturing SAP
organization’s ERP system (Singh, 2012). We also acknowledge that transactions that enterprise
occur outside an ERP system cannot be visualized using this method (Lanza, 2007).
systems
3. Research methodology
This research follows the four-stage research methodology proposed by Tory and
Moller (2004): 39
(1) Task analysis;
(2) Design;
(3) Implement prototype; and
(4) Test.
Task analysis identifies user requirements for the target visualizations, and considering
user interface limitations. The design process defines specifications for data, processes
and interfaces, to meet these user requirements. The design is implemented using a
prototype, which is a trial version of the system used to test the concept, obtain feedback
from users and guide the production of a working system. Finally, testing involves
verification that the prototype performs as specified and validation to ensure that it
meets its specific intended purposes.
3.1 Task analysis

Procedures to detect anomalous accounting activities are well-documented in the
literature (Albrecht et al., 2009; Singleton et al., 2008; Lanza, 2007, 2003; O’Gara, 2004;
Greene, 2003a; Little and Best, 2003; ACFE, 2012; Wells, 2011). These methods may be
categorized as:
• violations in SoD principles; and
• known fraud schemes.
This research emphasizes the former; however, some attention is also given to the latter.
Key indicators for frauds are lack of internal controls or an ability to override existing
internal controls that are poorly implemented (ACFE, 2014). The concept of separating
critical business activities to reduce fraud is termed “segregation of duties”. SoD
principles emphasize that sensitive tasks should be divided into two or more steps, with
each step being performed by a different user, in so doing reduces conflicts of interest
(Best et al., 2009; Coleman, 2008; Li et al., 2007; Srinidhi, 1994). For example, to perpetrate
a vendor fraud, an employee may create a shell company and submit fictitious invoices
for payment by the victim organization (Best et al., 2009; O’Gara, 2004; Greene, 2003b;
Wells, 2002; Bologna, 1992). To successfully perpetrate this scheme, an employee has to
violate SoD by creating (or modifying) vendor master records and entering invoices for
payment (Little and Best, 2003; Best et al., 2009).
SAP ERP implements standard authorization concepts to protect transactions and
programs from unauthorized access. Only users who are assigned correct
authorizations are permitted to execute related transactions. This means that the
software itself restricts access based on the “principle of least privilege”. Therefore,
users must be authorized to perform an activity rather than be restricted from doing it
(Little and Best, 2003). However, as users move within an organization, they may
MAJ accumulate multiple authorizations, resulting in them having the ability to perform
31,1 incompatible transactions that may result in violations in SoD. Such violations may be
detected by examining transaction performed by users. SAP audit trails record detailed
descriptions of transactions performed within the system. Singh et al. (2013) provide a
detailed explanation of how SAP audit trails may be used to detect violations in SoD.
Violations such as entering an invoice and processing a payment may be identified by
40 examining specific transactions users have entered in the system.
Based on the above, the system being developed is intended to provide support for
auditor detection of accounts payable fraud in ERP systems, considering the risk of
information overload typically associated with traditional reports. In particular, visual
support is required for recognition of typical symptoms of such frauds, such as breaches
in SoD principles, vendor sharing of bank accounts, vendors with multiple bank
accounts, changes to vendor bank account details and unexpected frequencies of lead
digits in accounting transactions.

Once developed, the system should support financial auditors on a routine basis
when reviewing accounts payable transactions, and changes to vendor master records,
and generally assessing the risk of accounts payable fraud. Some assistance from IT
personnel may be needed to extract data from the ERP system, though this can also be
automated, depending on the ERP system. For this to be achieved, the system should
satisfy the following performance criteria to justify its adoption:
• Simplicity: Easy to understand.
• Aggregation: Useful in aggregating large volumes of information.
• Exploration: Enable the exploration of data by drilling down on items or issues.
• Relationships: Enable the identification of relationships or patterns in the data that
would otherwise be difficult to achieve with textual data.
• Detection: Enhance investigation and analysis for potential fraud.
• Innovation: Provide an innovative way of presenting information.
These criteria are used during the testing stage to evaluate the results from testing the
prototype (see Section 3.4).
3.2 System design

The visualizations developed in this research present structural information as
diagrams of abstract graphs and networks (Singh, 2012). Graphs capture relationships
between objects and allow auditors to visualize these relationships easily (Gansner et al.,
2010). A commonly used graphical representation is a node-link diagram. In this
diagram, each node is shown as a point, circle, polygon or some other graphical object,
and each edge is shown as a line or curve connecting the two nodes. Nodes are places in
two-dimensional space, and edges represent relationships between the nodes. The
choice of node-link diagrams for visualizations simplifies identification of relationships
(McGuffin, 2012). The goal is to create a representation that makes the underlying data
understandable and visually appealing.
Visualization such as charts and graphs, dashboards, node-link diagrams, heat maps
and tree maps help users to “see” information to gain a better understanding of the
context (Jinson and Mao Lin, 2013). The overall picture may convey a clear and
immediate impression of the underlying data (Hensinger, 1986). This system SAP
incorporates several techniques to visualize user activities within accounts payable. enterprise
Dashboards organize and present information in a way that is easy to read and interpret.
The aim is to integrate information from multiple sources into a unified display and to
systems
capitalize on human cognition and perception (Yigitbasioglu and Velcu, 2012). For example,
a product might obtain data from the local operating system in a computer, from one or more
applications that may be running, and from one or more remote sites on the Web and present 41
it as though it all came from the same source. Data analytics often use dashboards that
involve dynamic analysis and reporting, of real- or near real-time data obtained from a
system (Nigrini, 2011; Marane, 2008; NIST, 2003). These dashboards may be customized in
a multitude of ways and named accordingly (Marane, 2008); for example, the fraud analytics
dashboard developed in this study organizes and presents data about various indicators in
an accounts payable system (Singh, 2012).
Node-link diagrams enable auditors to visualize relationships easily. In this method,

a node is shown as a circle, polygon or some other graphical shape, and an edge is shown
as a line or curve connecting the two nodes. Nodes are places in two-dimensional space,
and edges represent relationships between the nodes. The goal is to create a
representation that makes the underlying data understandable and visually appealing.
Little and Best (2003) proposed the following two SoD principles for accounts payable:
(1) separation of master record maintenance from transaction entry; and
(2) separation of payments and cheque entry from invoice data entry.
Their motivation was that users who have these authorizations are capable of creating
shell companies and paying fictitious invoices without being detected. If these
authorizations are enforced, this type of fraud may only be perpetrated when two
employees collude. The following node-link visualizations produced in this study may
facilitate prompt discovery of the aforementioned violations in SoD:
• users performing vendor maintenance, entering invoice and processing
payments;
• users performing vendor maintenance and processing payments;
• users performing vendor maintenance and entering invoices; and
• users entering invoices and processing payments.
A special case of vendor fraud occurs when an employee modifies an existing legitimate
vendor by changing the vendor’s banking details temporarily to their own (or some
other fraudulent account that they have set up), processes a payment for the vendor and
thereafter reverts the vendor’s banking details to the original values (flipping) (Figure 1).
This scenario is extremely difficult to discover among thousands of legitimate
transactions (Best et al., 2009; Singh, 2012).
The following visualizations may assist an auditor in effectively discovering vendor
fraud relating to flipping of vendor banking details:
• Vendors sharing bank accounts: Should an employee set up one or more shell
companies to perpetrate vendor fraud and use a common account to have
payments sent to, then among the visualization of vendor bank accounts, it will
appear that both a legitimate vendor and one or more other vendors shared the
same bank account during the analysis period.
MAJ
31,1
42
Figure 1.
Flipping vendor
bank account details
• Vendors with multiple bank accounts: Should an employee temporarily or

permanently modify an existing legitimate vendor’s banking details (for genuine
or fraudulent reasons), then these changes visually appear as though the vendor
had more than one bank account during the analysis period.
• Timeline analysis for vendor bank account changes (relates to vendors with multiple
bank accounts): This report lists transactions that are processed to any or all listed
bank accounts that a vendor may have had during the analysis period.
Once an auditor has identified users who violate SoD, he/she has a basis for further
investigation of these individuals. The auditor may choose to investigate detailed
activities performed by the targeted user, for example all bank account changes, invoice
transactions, payment transactions, duplicate transactions and vendors that the user
may have interacted with. Such investigations may potentially reveal further
clandestine activities such as collusion.
Finding potential collusion in accounting transactions is challenging and there is no
“silver bullet” to effectively identify this category of fraudulent activity. Employees may
collude to overcome well-designed internal controls (Wells, 2011). ACFE (2014) found
that 18.9 per cent of fraud against organizations occurred due to employees overriding
existing internal controls and 32.2 per cent as a result of a lack of proper internal
controls. A classic scenario in which three employees (colleagues) may conspire to
perpetrate fraud against their organization would be as follows:
• they set up a shell company (fake vendor record);
• employee 1 submits a fictitious order for goods or services;
• employee 2 authorizes the purchase; and
• employee 3 authorizes payment for the fictitious invoice.
Each task is handled by an employee with duties authorized for their specific role; SAP
consequently, they are able to bypass internal controls. Discovering such collusion may enterprise
be very difficult (Wells, 2011). Visualizations produced in this study have the potential
to highlight such activities which may assist an auditor in directing their investigations.
systems
Charts and graphs are diagrammatic representations of a data set. They assist a
reader to easily interpret discrete or continuous data. The information usually
determines the presentation method; for example, a continuous line chart implies that 43
values can be taken at any point on the line. Conversely, discrete data are more suited to
being plotted using a bar or column chart (Hensinger, 1986). This study predominantly
uses bar charts to demonstrate that conformity of invoice amounts to Benford’s law, or
the law of large numbers, which gives expected frequencies of digits in numerical data
(Benford, 1938). Frank Benford found that contrary to common belief, digits in tabulated
data are not equally likely and are biased towards lower digits. The basic digits tests are
tests of the first digit, second digit and first-two digits. These are called the first-order
tests. The first digit test is a high-level test of reasonableness that is actually too
high-level to be of much use. For accounts payable and other data sets involving prices,
the first-two digits test is a more focused test that detects abnormal duplications of
digits and possible biases in the data (Nigrini, 2011). This study implements Frank
Benford’s first-two digits test to investigate accounts payable transaction data. Spikes
in the results may be indicative of fraud and require further investigation.
3.3 Prototype implementation

In our system, data are extracted from several SAP tables, pre-processed into a standard
format and further processed using SAS®. SQL queries filter and process data using
rules based on instructions such as those defined in Section 3.2. The results are a series
of data sets that may potentially contain hundreds or more records. These filtered data
sets become the source data for visualizations (Singh, 2012). Visualizations are produced
in Graphviz, an open-source graph visualization software that enables structured
information to be represented as diagrams of abstract graphs and networks (Graphviz,
2010). Graphviz was selected for prototype implementation because open-source
software is free and this assists in minimizing audit costs. Graphviz uses the DOT
language to describe graphs. In DOT, there are three types of objects: graphs, nodes and
edges. Graphs may be undirected or directed. Layout programs in Graphviz take
descriptions of graphs written in DOT, and produce diagrams. For example, the following
directed graph, defined in DOT, produces a simple node-link diagram (Figure 2):
DOT code requires several attributes to be defined for graphs, nodes and edges
(Koutsofios and North, 1991). Nodes may be drawn as ellipses, boxes, records or
plaintext (no outline). Node shapes may be polygon or record-based. The default node
label is its name. Node and edge labels need to be set explicitly. Multi-line labels are also
possible. Colour attributes can be specified for both nodes and edges. Other
characteristics such as orientation, size, spacing and placement are all configurable. For
example, the following visualization (Figure 3) demonstrates the relationship among
users and the types of transactions they perform.
To produce this visualization, 74 lines of DOT code are required. A small section of
the DOT code follows (an explanation on how this code is generated follows).
Furthermore, complex visualizations may potentially contain hundreds or thousands of
lines of DOT code that may vary from one visualization to the next:
MAJ digraph G { bgcolor⫽lightcyan ranksep⫽3; ratio⫽auto; rotate⫽0;
overlap⫽"false"; "Hub" [label ⫽ " ", fontname ⫽ "arial", fontsize ⫽ 8,
31,1 shape ⫽ "oval", style ⫽ "rounded", color ⫽ "transparent" ] ;
"AMILA" [label ⫽"User\nAMILA", fontname ⫽ "arial", fontsize ⫽ 8,shape
⫽ "Mrecord", style ⫽ "bold", color ⫽ "black" ] ;
...
"F110" [label ⫽"F110", fontname ⫽ "arial", fontsize ⫽ 8,shape ⫽
44 "oval", style ⫽ "bold", color ⫽ "black" ] ;
...
"AMILA" -⬎ "F110" [ label⫽" 1", penwidth⫽1.5, fontname ⫽
"arial",fontsize ⫽ 8, color⫽"red",arrowhead⫽"vee" ] ;
This study develops an innovative solution, referred to as the Graphviz code writer, to
address the problem. The Graphviz code writer uses filtered data sets as input and
dynamically produces DOT code ready for execution by Graphviz layout programs. It
also invokes Graphviz and executes DOT code on a user’s behalf and displays resulting
visualizations. The complete code generation sequence is illustrated below (Figure 4).
The Graphviz code writer is a “black box” solution that translates a data set into DOT
code. It assumes that the data set contains the targeted filtered records only. Below is a
description of the code generation process from the preceding example (Figure 2) to
illustrate this process:
Step 1 – read filtered data set into the Graphviz code writer.
Step 2 – define the type of graph (directed in this example), preconfigure related
attributes and identify the hub of the graph.
Code writer:
Select ’digraph G { bgcolor⫽lightcyan ranksep⫽3; ratio⫽auto; rotate⫽0;

shape ⫽ "oval", style ⫽ "rounded", color ⫽ "transparent" ];’as
codeline
DOT output:
digraph G { bgcolor⫽lightcyan ranksep⫽3; ratio⫽auto; rotate⫽0;

shape ⫽ "oval", style ⫽ "rounded", color ⫽ "transparent" ] ;
Step 3 – extract all user nodes from the data set and preconfigure their attributes. An
SQL select statement extracts the username data.
Code writer:
Figure 2.
Simple node-link
diagram generated
using DOT language
SAP
enterprise
systems
45
Figure 3.
Example of a
node-link
visualization
Figure 4.
Graphviz dynamic
visualization process
Select ’"’ || trim(username) || ’"’ || ’ [label ⫽"’ || ’User\n’ ||

trim(username) || ’", fontname ⫽ "arial", fontsize ⫽ 8,
shape ⫽ "Mrecord", style ⫽ "bold", color ⫽ "black" ] ; ’ as codeline
DOT output:
"AMILA" [label ⫽"User\nAMILA", fontname ⫽ "arial", fontsize ⫽ 8,shape

MAJ ⫽ "Mrecord", style ⫽ "bold", color ⫽ "black" ] ;
31,1 Step 4 – extract all transaction nodes from the data set and preconfigure their attributes.
An SQL select statement extracts the transaction code (tcode) data.
Code writer:
46 Select ’"’ || trim(tcode) || ’"’ || ’ [label ⫽"’ || trim(tcode) || ’",

fontname ⫽ "arial", fontsize ⫽ 8, shape ⫽ "oval", style ⫽ "bold",
color ⫽ "black" ] ; ’ as codeline
DOT output:
"F110" [label ⫽"F110", fontname ⫽ "arial", fontsize ⫽ 8,shape ⫽

"oval", style ⫽ "bold", color ⫽ "black" ] ;
Step 5 – find associations between users and transactions, establish edges and
preconfigure the relevant attributes. An SQL select statement extracts the username,
transaction code (tcode) and transaction count (tcounttxt) data. Transaction count is
used as label information for the edges that connect users to transaction codes.
Code writer:
select distinct ’"’ || trim (username) || ’" -⬎ "’ || trim(tcode) ||

’" [ label⫽" ’ || trim(tcounttxt)|| ’", penwidth⫽1.5, fontname ⫽
"arial", fontsize ⫽ 8, color⫽"red",arrowhead⫽"vee" ] ;’ as codeline
DOT output:
"AMILA" -⬎ "F110" [ label⫽" 1", penwidth⫽1.5, fontname ⫽

"arial",fontsize ⫽ 8, color⫽"red",arrowhead⫽"vee" ] ;
Step 6 – export DOT output file. This step concludes the DOT code generation process.
The final step is to invoke Graphviz, execute the DOT code and display the resulting
graph visualization to the auditor.
The framework developed above was applied to a real-world case study and the test
results are presented in the following section.
3.4 Testing
Data were obtained from the SAP ERP system of a large organization (specific
information on the organization has been withheld due to confidentiality reasons). The
organization provided a sample of accounting transaction data which included between
500,000 and 800,000 individual transactions across data tables:
• CDHDR – change document headers;
• CDPOS – change document items;
• BKPF – accounting document headers;
• BSEG – accounting document line items; and
• LFA1 – vendor general data, for a six-month period.
The analysis was performed in the following order:

• Initial analytics to produce filtered data sets and dashboard providing overview SAP
of activities. enterprise
• Produce visualizations for users violating SoD and vendors with discrepancies in systems
banking details.
• Target individual users and vendors for detailed investigations and produce
detailed visualizations for them.
47
• Analysis of visualizations and reporting findings.
On completion of the initial automated analytics, several visualizations are

dynamically produced by Graphviz. These visualizations demonstrate the
simplicity with which anomalous activities were identified in the case study
organization. Prior to this investigation, the organization’s audit manager focussed
primarily on performing internal audits and had not made any effort to investigate
application controls. He relied on the IT team to ensure that users had appropriate
access and authorizations. It was also discovered that the IT team had limited
accounting background and concentrated on providing users access to systems
only and the concept of SoD did not appear to be of concern. Although the audit
manager did have knowledge of audit tools and their capabilities, he preferred to use
standard office productivity tools (spreadsheets, word processors and email) due to
the cost of implementing new tools and the attitude that these new tools would not
have an impact on the findings of current audits. Explanations for the visualizations
are provided below.
The dashboard provides several key indicators linked to underlying detailed reports
(Figure 5):
• AP system summary: An overview of system being investigated.
• T-code statistics: Analysis of all related transaction codes performed by users.
• Critical combinations: Identifies number of users who have violated SoD and the
total value of invoices and payments processed by this group of users.
• Top 5 vendor invoices and payments: The five highest ranking vendors by
invoices received and payments processed.
• Dashboard dials for vendors sharing bank accounts, vendors with multiple bank
accounts and vendors with multiple changes to their bank accounts: Overview of
all vendor banking-related activities.
• Benford’s law analysis of invoice and payment amounts: Actual vendor invoice
and payment amounts are compared to the expected values.
• Fraud risk index: Uses various metrics to predict an organization’s vulnerability
to fraud.
The following node-link visualizations demonstrate the simplicity with which

violations in SoD were identified in the case study organization:
• Users performing vendor maintenance, entering invoice and processing
payments (Figure 6) – three users were identified in this category. The behaviour
of these users appeared to be inconsistent with SoD principles, as they had
performed vendor maintenance and entering accounting transactions.
48
31,1
MAJ
Figure 5.
dashboard
Fraud analytics
SAP
enterprise
systems
49
Figure 6.
Users performing
vendor maintenance,
invoice and payment
activities
Furthermore, in addition to using transaction-specific codes to perform their tasks

(e.g. FB60 – enter invoice), they were using the generic SAP transaction code FB01
for entering transactions. This transaction code allows a user to post any financial
transaction, i.e. general ledger, customer, vendor, inventory or asset. The user
enters the document type (e.g. SA, for general ledger) as part of the document
entry, then proceeds to enter relevant data (refer to Singh (2012) for a detailed
explanation of transaction codes and document types).
• Users performing vendor maintenance and processing payments (Figure 7) – four
users were found to have violated this segregation principle.
• Users performing vendor maintenance and entering invoices (Figure 8) – two
users were found to have violated this segregation principle.
• Users entering invoices and processing payments (Figure 9) – 22 users were found
to have violated this segregation principle. This statistic is of concern due to the
number of employees having this capability, as it may encourage an employee to
enter a fictitious invoice and then pay it. All transactions entered by these users
should be treated as suspicious until confirmed as genuine.
MAJ
31,1
50
Figure 7.
Users performing
vendor maintenance
and processing
payments
SAP
enterprise
systems
51
Figure 8.
Users performing
vendor maintenance
and entering invoices
The next category of visualizations simplifies investigation of anomalies relating to

vendor bank accounts. The node-link visualizations produced from the data set show
several potential discrepancies that the audit team needed to further investigate.
• Vendors sharing bank accounts – should an employee redirect payments from a
legitimate vendor to a shell company, then both legitimate and fictitious vendors
will appear to be sharing the same bank account. During the period under review,
two vendors shared the same bank account (Figure 10).
• Vendors with multiple bank accounts – should an employee change a legitimate
vendor’s banking details, these changes appear as though the vendor had more
than one bank account. During the period under review, 31 such instances were
identified (Figure 11). A timeline analysis of transactions processed to each of the
bank accounts associated with individual vendors was performed. This helped
identify transactions that were processed to the different bank accounts.
• Timeline analysis for vendor bank account changes – lists transactions posted to
all bank accounts associated with a particular vendor. One vendor (0000010186)
was selected and transactions examined. From the transaction activity history
(Table I), it may be noted that a user edited the vendor’s banking details on
06/01/2011 (XK02) and two invoices were entered on 11/01/2011 and 24/01/2011,
respectively (FB60). Subsequently, two more changes were made to the vendor’s
banking details, three invoices entered, one payment made (F110) and one other
invoice entered (FB01). The payment transaction, in particular, requires
investigation to determine whether it was intended for the specified bank account.
• Examining detailed activities of a single user identified as risky. Targeting an
individual risky user enables an auditor to evaluate all activities performed by the
user for all vendors during the review period (Figure 12).
In this case, user SANJEEWAH has interacted with 18 vendors and has
performed a variety of transactions across vendors, including entering invoices,
processing payments and making changes to vendor bank account details.
MAJ
31,1
52
Figure 9.
Users entering
invoices and
processing payments
Figure 10.
Vendors sharing
bank accounts
Although this user has breached SoD principles, almost all of the incompatible
transactions have been spread across multiple vendors. One vendor, however, is of
interest, as the user has performed multiple incompatible transactions for the same
vendor (0000030155).
(1) Transactions performed by user SANJEEWAH for vendor 0000030155 were
investigated and the following audit trail was observed (Table II):
• Two invoices for $48,000.00 and $5,760.00, respectively, were posted on 21/
02/2011, using transaction code FB01.
SAP
enterprise
systems
53
Figure 11.
Vendors having
multiple bank
accounts
MAJ Date User Tcode Amount Bank details Doc. No.
31,1
6/01/2011 SOHAN XK02 NDBSSLQQ 5000811 00474973300
11/01/2011 INDIKA FB60 $718.15 19000161190
24/01/2011 INDIKA FB60 $1,800.00 19000161190
27/01/2011 SANJEEWAH XK02 NDBSSLQQ 5000811 0048291325
54 3/02/2011 SOHAN XK02 BECYLKZ 0714343 00048493355
9/03/2011 INDIKA FB60 $422.15 19000161191
Table I. 15/03/2011 INDIKA FB60 $119.29 19000161192
Timeline analysis for 24/03/2011 INDIKA FB60 $357.00 19000161193
vendor bank account 21/04/2011 INDIKA F110 $1,406.70 15000025082
changes 21/04/2011 INDIKA FB01 $315.15 19000161195
Figure 12.
Detailed activities of
a single risky user
• One payment for $5,760.00 was posted on 23/02/2011, using transaction code
F110.
• One change to vendor banking details made on 27/01/2011, using transaction
code XK02.
Doc. date Post. date Doc. no. Co. code Vendor id. Amount Tcode
SAP
enterprise
Invoices systems
21/02/2011 23/02/2011 1900152463 6000 0000030155 $48,000.00 FB01
21/02/2011 23/02/2011 1900152464 6000 0000030155 $5,760.00 FB01
N⫽2 Total $53,760.00
Payments 55
23/02/2011 23/02/2011 1500024177 6000 0000030155 $5,760.00 F110
N⫽2 Total $5,760.00
Date Doc. no. Co. code Vendor id. Bank details Tcode
Table II.
Changes to vendor bank details Audit trail for a
27/01/2011 48291325 6000 0000030155 NDBSLQQ 5000811 XK02 single user and
N⫽1 vendor
Figure 13.
Users interacting
with a single vendor
(2) A specific vendor may be targeted for further analysis to identify which users have
interacted with the vendor. This may provide further insight into what activities
have been performed on the vendor. In the following visualization (Figure 13), it was
observed that invoices were entered for vendor 0000030044 by several users. One
user performed changes to the vendor’s banking details. It is interesting to note that
invoices were being entered by normal users and support staff using generic logins
(i.e. COM-MGR, REPORTING, CLSTADMIN and SAPTEAM). This practice is not
recommended and violates normal SoD principles – separating users from SAP
support functions, and separating entry of invoices/postings and payment
functions. Posting of financial transactions ought to be restricted to users with
relevant authorizations. This presents a considerable fraud risk.
(3) Benford’s law of large numbers gives expected frequencies of digits in numerical
data. Analysis of the first-two digits for vendor invoices revealed large spikes at 11,
MAJ
31,1
56
Figure 14.
Benford’s law
analysis of invoice
amounts
22, 27, 36, 45, 54 and 67 (Figure 14). Other smaller spikes were also observed but
appeared insignificant. Each of the spikes required further investigation to
determine the reason for deviation. Spike 36 was selected, as this was the largest
spike. The subsequent report contained 1,217 records, of all invoice amounts
containing 36 as the first-two digits. Several identical amounts appeared to have
been recorded for the same vendors. These transactions were entered by different
users. A follow-up investigation was conducted and several duplicate invoices were
discovered. (Further details of this investigation were not provided by the
organization).
(4) Finding potential collusion is challenging and may be very difficult to detect.
The following visualization demonstrates the potential of the model to detect
such clandestine acts among employees conspiring to override well-designed
internal controls (Figure 15). This visualization was produced from test data
and demonstrates the possibility to “see” relationships among multiple users
and common vendors. In the example, it is observed that vendors appear to
be clustered around specific users, i.e. a particular user may be responsible
for processing transactions for a group of vendors. However, there are some
outliers that have more than one user in common. Although there may be a
perfectly legitimate reason for this occurrence, these circumstances warrant
further attention.
The strategy used to provide validation for these visualization methods is provided by
Singh et al. (2013). Validation is an attempt to ensure that developed methods meet their
specific intended purpose. This is assessed with reference to the performance criteria
identified in Section 3.2 Task analysis. The results from testing the prototype system
were assessed by obtaining independent reviews from an expert and a panel of auditing SAP
practitioners. enterprise
The Executive Director – Information Systems Audit of a top international accounting systems
firm, stated:
57
Figure 15.
Transaction clusters
MAJ […] automated fraud detection software can provide internal auditors with a tool to efficiently
assess the presence of fraud within an organization …. In general, I found the functionality of
31,1 the tool to be useful. The user interface would require a minimal level of training and some
level of understanding of the SAP application, which is a reasonable constraint. The graphs
and visualizations clearly communicated a message for the reader (Singh et al., 2013).
Feedback from the panel of auditing practitioners was very positive. They found the
58 visualizations easy to understand, and useful in aggregating large volumes of data.
Visualizations were also seen as enabling identification of relationships or patterns
in data that would otherwise be difficult in textual data. Overall, the panel rated the
visualizations as innovative and important tools in a fraud investigator’s toolkit
(Table 3).
4. Contributions and limitations

This paper makes several contributions to the extant literature on visualization, in

particular, the application of visualization to the detection of fraud in accounts payable.
By determining the types of visualizations that may assist auditors in discovering
potential anomalies in accounts payable transaction data, the study addresses a
deficiency that the CA/CM literature associates with automated systems, namely,
information overload. We demonstrate the following visualization techniques that go
beyond simple blind querying of data to convey a clear and immediate impression of the
underlying data and to reduce the burden of information overload:
• A fraud analytics dashboard that organizes and presents information about
various indicators in an accounts payable system in a way that is easy to read and
interpret. The aim is to integrate information from multiple sources into a unified
display and to capitalize on human cognition.
• Node-link diagrams, using open-source Graphviz software, that enable an auditor
to visualize relationships easily. The goal is to create representations that make
the underlying data understandable and visually appealing. Several node-link
visualizations are provided to facilitate prompt discovery of violations in SoD,
discovering vendor fraud relating to “flipping” of vendor bank account details,
investigation of activities performed by risky users and to potentially reveal
further clandestine activities such as collusion.
• Charts and graphs assist a reader to easily interpret discrete or continuous data. We
predominantly use bar charts to demonstrate conformity of invoice amounts to
Visualizations (charts and diagrams) (Questionnaire scale 1 to 7) Mean Variance SD
Easy to understand 5.87 0.87 0.92

Useful in aggregating large amount of information 6.09 0.54 0.73
Enables effective exploration of graphical data 6.13 0.57 0.76
Enables identification of relationships or patterns in data that are
otherwise difficult to do in textual data 6.17 0.60 0.78
Enhances investigation and analysis for potential fraud 6.22 0.54 0.74
Are an innovative way of presenting information 6.35 0.42 0.65
Table III. Are an important tool in a fraud investigator’s toolkit
Visualizations N ⫽ 23 6.04 0.77 0.88
Benford’s law. Non-conformity or spikes in the results may be indicative of fraud and SAP
require further investigation. An organization implementing any or all of these enterprise
techniques within a forensic audit may positively impact the overall effectiveness of
the audit process.
systems
To test our prototype, data are extracted from an SAP ERP system and processed using
SQL queries. The results are a series of data sets that may potentially contain hundreds
or thousands of anomalous activities. This study makes a contribution to the literature
59
by developing a framework to dynamically transform filtered data sets into explicit
visualizations, as described above. In addition to identifying patterns of activities within
a data set, visualization may be used to identify suspicious activities. These activities
may result from unintentional errors or potential fraud. Further investigations will
ideally distinguish between the two. It may be impossible to investigate all suspicious
activities due to cost concerns (Cleary and Thibodeau, 2005). Therefore, auditors may
elect to investigate only a subset based on materiality. However, the techniques

presented in this research expose all suspicious activities.
We acknowledge the following limitation regarding generalizability of results from
this research. The focus of this research is on a single category of occupational fraud,
namely, asset misappropriation. Within asset misappropriation, the study focuses on
billing fraud schemes involving shell companies and non-accomplice vendors in
accounts payable. This limits identification of potential threats or frauds. Therefore,
generalizing the findings to other categories of fraud (such as accounts receivable) must
be made with caution. Feedback from forensic analysts and internal auditors may be
very useful in improving the framework. Whether suspicious activities turn out to be
errors, fraud or normal transactions, the investigation of the results will provide further
insight which may be useful in improving the framework.
5. Conclusion
With the increasing complexity of ERP systems, fraudsters are finding new opportunities
and conceiving intricate methods to perpetrate fraud and outsmart implemented system
controls. The complex nature of these frauds and other “white-collar” crimes requires novel
approaches to view and leverage the enormous amount of information being produced.
Thousands of transactions daily generate thousands of lines of data in an ERP system.
Hidden among these gigabytes of data may possibly be fraudulent transactions that are
nearly impossible to detect. Forensic analysts and auditors are obliged to seek new and
innovative methods to discover fraud (Marane, 2008). Complete fraud detection is
challenging and there is no “silver bullet” to effectively ensure it. Visualization, when
combined with other techniques, may improve an auditor’s ability to identify suspicious
activities not otherwise identifiable, and to encourage further investigations.
The contributions made by this research provide new stimulus for research in the
area of visualization. Further work is encouraged in applying such techniques to detect
other fraud schemes, and exploring other innovative visualization methods. The human
eye processes information more efficiently when presented as images as opposed to
textual information. As our instincts develop over time, so does our ability to process
complex concepts through visual identification. By representing information spatially
and with images, humans are able to grasp its meaning, to group similar ideas and to
connect it with prior knowledge effortlessly. Using illustrations or diagrams to
MAJ represent large amounts of information facilitates easier understanding and helps reveal
31,1 patterns and relationships. Our research highlights the effectiveness of using
visualization to identify suspicious activities in accounts payable transactions. We
demonstrate that using interactive visualization techniques coupled with traditional
analyses enhances an auditor’s ability to “see” patterns and efficiently narrow these
down to individual activities. The feasibility of applying low-cost, open-source software
60 to implement such techniques was also demonstrated.
References
ACFE (2012), “Report to the nation on occupational fraud and abuse”, available at: www.acfe.com/
rttn (accessed 27 February 2013).
ACFE (2014), “Report to the nation on occupational fraud and abuse”, available at: www.acfe.com/
rttn (accessed 2 June 2014).
Albrecht, W.S., Albrecht, C.C. and Albrecht, C.D. (2009), Fraud Examination, 3rd ed., Thomson/
South-Western.
Alles, M., Brennan, G., Kogan, A. and Vasarhelyi, M.A. (2006), “Continuous monitoring of
business process controls: a pilot implementation of a continuous auditing system at
Siemens”, International Journal of Accounting Information Systems, Vol. 7 No. 2,
pp. 137-161.
Alles, M.G., Kogan, A. and Vasarhelyi, M.A. (2008), “Putting continuous auditing theory into
practice: lessons from two pilot implementations”, Journal of Information Systems, Vol. 22
No. 2, pp. 195-214.
Argyriou, E.N., Sotiraki, A.A. and Symvonis, A. (2013), “Occupational fraud detection through
visualization”, 2013 IEEE International Conference on Intelligence and Security
Informatics (ISI), IEEE, pp. 4-6.
AuditNet (2012), “AuditNet 2012 state of technology use by auditors”, AuditNet LLC, available at:
www.auditnet.org/ (accessed 27 February 2013).
Battista, G.D., Eades, P., Tamassia, R. and Tollis, I.G. (1998), Graph Drawing: Algorithms for the
Visualization of Graphs, Prentice Hall PTR.
Benford, F. (1938), “The law of anomalous numbers”, Proceedings of the American Philosophical
Society, pp. 551-572.
Best, P.J., Rikhardson, P. and Toleman, M. (2009), “Continuous fraud detection in enterprise
systems through audit trail analysis”, Journal of Digital Forensics, Security and Law, Vol. 4
No. 1, pp. 39-60.
Bologna, J. (1992), “Thinking like a thief”, The Internal Auditor, Vol. 49 No. 4, pp. 30-33.
Chang, R., Ghoniem, M., Kosara, R., Ribarsky, W., Jing, Y., Suma, E., Ziemkiewicz, C., Kern, D. and
Sudjianto, A. (2007), “WireVis: visualization of categorical, time-varying data from
financial transactions”, IEEE Symposium on IEEE Visual Analytics Science and
Technology, VAST 2007, pp. 155-162.
Cleary, R. and Thibodeau, J.C. (2005), “Applying digital analysis using Benford’s law to detect
fraud: the dangers of type I errors”, AUDITING: A Journal of Practice & Theory, Vol. 24
No. 1, pp. 77-81.
Coleman, K. (2008), “Separation of duties and IT security”, CSO Security and Risk, available
at:www.csoonline.com/article/446017/separation-of-duties-and-it-security (accessed 8 June
2012).
Datawatch (2014), “Modeler”, Datawatch, available at: www.datawatch.com/products/monarch/
(accessed 12 January 2015).
Di Giacomo, E., Didimo, W., Liotta, G. and Palladino, P. (2010), “Visual analysis of financial SAP
crimes:[system paper]”, Proceedings of the International Conference on Advanced Visual
Interfaces, ACM, pp. 393-394.
enterprise
Didimo, W. and Liotta, G. (2006), “Graph visualization and data mining”, Mining Graph Data,
systems
pp. 35-63.
Didimo, W., Liotta, G., Montecchiani, F. and Palladino, P. (2011), “An advanced network
visualization system for financial crime detection”, 2011 IEEE Pacific Visualization 61
Symposium (PacificVis), IEEE, pp. 203-210.
Dilla, W., Janvrin, J.D. and Raschke, R. (2010), “Interactive data visualization: new directions for
accounting information systems research”, Journal of Information Systems, Vol. 24 No. 2,
pp. 1-37.
Eick, S.G. (2000), “Visual discovery and analysis”, IEEE Transactions on Visualization and
Computer Graphics, Vol. 6 No. 1, pp. 44-58.
Fetaji, B. (2011), “Development and analyses of dynamical visualization process tool in run time
and its usability evaluation”, TTEM-Technics Technologies Education Management, Vol. 6
No. 2, pp. 447-454.
Gansner, E., Hu, Y. and Kobourov, S. (2010), “GMap: drawing graphs and clusters as maps”, IEEE
Pacific Visualization Symposium, IEEE, pp. 201-208.
Ghoniem, M., Fekete, J.-D. and Castagliola, P. (2005), “On the readability of graphs using node-link
and matrix-based representations: a controlled experiment and statistical analysis”,
Information Visualization, Vol. 4 No. 2, pp. 114-135.
Gleicher, M., Albers, D., Walker, R., Jusufi, I., Hansen, C.D. and Roberts, J.C. (2011), “Visual
comparison for information visualization”, Information Visualization, Vol. 10 No. 4,
pp. 289-309.
Graphviz (2010), “Graphviz - graph visualization software”, available at: www.graphviz.org/
About.php (accessed 21 December 2011).
Greene, C.L. (2003a), “Audit those vendors”, The White Paper, McGovern & Greene, available at:
www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_Archives/audit_
vendors.html (accessed 21 September 2010).
Greene, C.L. (2003b), “Focus on employee frauds – purchasing frauds”, McGovern & Greene,
available at: www.mcgoverngreene.com/archives/archive_articles/Craig_Greene_
Archives/Focus-Employee_Frauds-Purch.html (accessed 29 September 2010).
Hensinger, R.N. (1986), “Standards in pediatric orthopedics: tables, charts, and graphs illustrating
growth”, Journal of Pediatric Orthopaedics, Vol. 7 No. 3, p. 345.
Herman, I., Melancon, G. and Marshall, M.S. (2000), “Graph visualization and navigation in
information visualization: a survey”, IEEE Transactions on Visualization and Computer
Graphics, Vol. 6 No. 1, pp. 24-43.
Huang, M.L., Liang, J. and Nguyen, Q.V. (2009), “A visualization approach for frauds detection in
financial market”, 2009 13th International Conference on Information Visualization, IEEE,
pp. 197-202.
IBM (2014), “i2 analyst notebook”, IBM, available at: www-01.ibm.com/software/info/i2software/
(accessed 8 August 2014).
Jinson, Z. and Mao Lin, H. (2013), “5Ws model for big data analysis and visualization”, 2013 IEEE
16th International Conference on Computational Science and Engineering (CSE), IEEE,
Sydney, NSW, pp. 1021-1028.
Kotb, A. and Roberts, C. (2011), “The impact of e-business on the audit process: an investigation of
the factors leading to change”, International Journal of Auditing, Vol. 15 No. 2, pp. 150-175.
MAJ Koutsofios, E. and North, S. (1991), “Drawing graphs with dot”, Technical Report
910904-59113-08TM, AT&T Bell Laboratories, Murray Hill, NJ.
31,1
Kuhn, J.R. Jr and Sutton, S.G. (2010), “Continuous auditing in ERP system environments: the
current state and future directions”, Journal of Information Systems, Vol. 24 No. 1,
pp. 91-112.
Kuhn, J.R. and Sutton, S.G. (2006), “Learning from WorldCom: implications for fraud detection
62 through continuous assurance”, Journal of Emerging Technologies in Accounting, Vol. 3
No. 1, pp. 61-80.
Lanza, R.B. (2003), Proactively Detecting Occupational Fraud Using Computer Audit Reports, The
IIA Research Foundation, FL.
Lanza, R.B. (2007), “Auditing vendor accounts for fraud or at least some cash recovery”, Fraud
Magazine, September/October, ACFE, Austin.
Li, N., Tripunitara, M.V. and Bizri, Z. (2007), “On mutually exclusive roles and
separation-of-duty”, ACM Transactions on Information and System Security, Vol. 10 No. 2,

ACM, New York, NY.
Liang, L.Y. and Miranda, R. (2001), “Dashboards and scorecards: executive information systems
for the public sector”, Government Finance Review, CBS Interactive Business Network.
Little, A. and Best, P.J. (2003), “A framework for separation of duties in an SAP R/3 environment”,
Managerial Auditing Journal, Vol. 18 No. 5, pp. 419-430.
McGuffin, M.J. (2012), “Simple algorithms for network visualization: a tutorial”, Tsinghua Science
and Technology, Vol. 17 No. 4, pp. 383-398.
Marane, A. (2008), “Visual analysis of large datasets”, available at: http://linkanalysisnow.com/
2011/07/visual-analysis-of-large-datasets.html (accessed 9 January 2012).
NetMap (2014), “NetMap analytics”, NetMap, available at: www.netmap.com (accessed 8 August
2014).
Nigrini, M.J. (2011), Forensic Analytics. Methods and Techniques for Forensic Accounting
Investigations, John Wiley & Sons, NJ.
NIST (2003), in Croarkin, C. and Tobias, P. (Eds), NIST/SEMATECH e-Handbook of Statistical
Methods, US Department of Commerce.
O’Gara, J.D. (2004), Corporate Fraud Case Studies in Detection and Prevention, Wiley.
Rezaee, Z., Sharbatoghlie, A., Elam, R. and McMickle, P.L. (2002), “Continuous auditing: building
automated auditing capability”, Auditing: A Journal of Practice & Theory, Vol. 21 No. 1,
pp. 147-163.
Singh, K. (2012), “A conceptual model for proactive detection of potential fraud in enterprise
systems: exploiting SAP audit trails to detect asset misappropriation”, PhD thesis,
Department of Accounting, Economics and Finance, University of Southern Queensland.
Singh, K.H., Best, P.J. and Mula, J.M. (2013), “Automating vendor fraud detection in enterprise
systems”, Journal of Digital Forensics, Security and Law, Vol. 8 No. 2, pp. 7-42.
Singleton, T., Singleton, A., Bologna, J. and Lindquist, R. (2008), Fraud Auditing and Forensic
Accounting, John Wiley & Sons.
Song, M. (2000), “Visualization in information retrieval: a three-level analysis”, Journal of
Information Science, Vol. 26 No. 1, pp. 3-19.
Srinidhi, B. (1994), “The influence of segregation of duties on internal control judgments”, Journal
of Accounting, Auditing & Finance, Vol. 9 No. 3, pp. 423-444.
Tang, L., Barbier, G., Liu, H. and Zhang, J. (2010), “A social network analysis approach to detecting
suspicious online financial activities”, SBP’10 Proceedings of the 3rd International
Conference on Social Computing, Behavioral Modeling, and Prediction, Springer-Verlag SAP
Berlin, Heidelberg, pp. 390-397.
enterprise
TechTarget (2010), “Data visualization”, TechTarget, available at: http://searchbusinessanalytics.
techtarget.com/definition/data-visualization (accessed 21 December 2011). systems
Tory, M. and Moller, T. (2004), “Human factors in visualization research”, IEEE Transactions on
Visualization and Computer Graphics, Vol. 10 No. 1, pp. 1-13.
Vasarhelyi, M.A., Alles, M.G., Kogan, A. and O’Leary, D. (2004), “Principles of analytic monitoring 63
for continuous assurance”, Journal of Emerging Technologies in Accounting, Vol. 1,
pp. 1-21.
Vasarhelyi, M.A., Alles, M., Kuenkaikaew, S. and Littley, J. (2012), “The acceptance and adoption
of continuous auditing by internal auditors: a micro analysis”, International Journal of
Accounting Information Systems, Vol. 13 No. 3, pp. 267-281.
Vasarhelyi, M.A., Alles, M. and Williams, K.T. (2010), “Continuous assurance for the now
economy”, A Thought Leadership Paper for the Institute of Chartered Accountants in

Australia, Institute of Chartered Accountants.
Wang, X., Jeong, D., Chang, R. and Ribarsky, W. (2012), “RiskVA: a visual analytics system for
consumer credit risk analysis”, Tsinghua Science and Technology, Vol. 17 No. 4, pp. 440-451.
Wang, X., Miller, E., Smarick, K., Ribarsky, W. and Chang, R. (2008), “Investigative visual analysis
of global terrorism”, Computer Graphics Forum, Vol. 27 No. 3, pp. 919-926.
Wells, J.T. (2002), “Billing schemes, part 1: shell companies that don’t deliver”, Journal of
Accountancy, Vol. 194 No. 1, pp. 76-79.
Wells, J.T. (2011), Principles of Fraud Examination, 3rd ed., John Wiley & Sons.
Xanalys (2014), “Xanalys link explorer”, IBM, available at: www.xanalys.com (accessed 8 August
2014).
Yigitbasioglu, O.M. and Velcu, O. (2012), “A review of dashboards in performance management:
implications for design and research”, International Journal of Accounting Information
Systems, Vol. 13 No. 1, pp. 41-59.
About the authors

Kishore Singh holds the position of Lecturer in accounting information systems at Griffith
University. He has qualifications in computer science, information systems, electronic
engineering and operations research. He is also a certified Microsoft Systems Engineer and
Developer. His research interests are in the area of continuous auditing; continuous monitoring
and fraud detection through audit trail analysis. Kishore Singh is the corresponding author and
can be contacted at: Kishore.Singh@griffith.edu.au
Peter Best holds the position of Professor and Head of Discipline – Accounting at Griffith
University. He has qualifications in accounting, operations research and information technology.
His PhD examined the feasibility of machine-independent audit trail analysis in large computer
systems. His teaching, research and consulting experience includes electronic business
intelligence and data mining, auditing of enterprise systems, computer-assisted audit techniques,
fraud detection and audit trail analysis.
For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com

Singh 2016

Uploaded by

Copyright:

Available Formats

You might also like

Singh 2016

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Singh 2016

Uploaded by

Copyright:

Available Formats

Managerial Auditing Journal

Interactive visual analysis of anomalous accounts payable transactions in SAP

References: this document contains references to 65 other documents.

Interactive visual analysis of SAP

endogenous and exogenous factors (Vasarhelyi et al., 2004).

• enhanced recognition such as allowing higher level patterns to be recognized;

and temporal trends of the targeted credit products.

3.1 Task analysis

digits in accounting transactions.

3.2 System design

Node-link diagrams enable auditors to visualize relationships easily. In this method,

• Vendors with multiple bank accounts: Should an employee temporarily or

3.3 Prototype implementation

Select ’digraph G { bgcolor⫽lightcyan ranksep⫽3; ratio⫽auto; rotate⫽0;

digraph G { bgcolor⫽lightcyan ranksep⫽3; ratio⫽auto; rotate⫽0;

Select ’"’ || trim(username) || ’"’ || ’ [label ⫽"’ || ’User\n’ ||

"AMILA" [label ⫽"User\nAMILA", fontname ⫽ "arial", fontsize ⫽ 8,shape

46 Select ’"’ || trim(tcode) || ’"’ || ’ [label ⫽"’ || trim(tcode) || ’",

"F110" [label ⫽"F110", fontname ⫽ "arial", fontsize ⫽ 8,shape ⫽

select distinct ’"’ || trim (username) || ’" -⬎ "’ || trim(tcode) ||

"AMILA" -⬎ "F110" [ label⫽" 1", penwidth⫽1.5, fontname ⫽

The analysis was performed in the following order:

On completion of the initial automated analytics, several visualizations are

The following node-link visualizations demonstrate the simplicity with which

Furthermore, in addition to using transaction-specific codes to perform their tasks

The next category of visualizations simplifies investigation of anomalies relating to

4. Contributions and limitations

This paper makes several contributions to the extant literature on visualization, in

Visualizations (charts and diagrams) (Questionnaire scale 1 to 7) Mean Variance SD

Easy to understand 5.87 0.87 0.92

elect to investigate only a subset based on materiality. However, the techniques

separation-of-duty”, ACM Transactions on Information and System Security, Vol. 10 No. 2,

economy”, A Thought Leadership Paper for the Institute of Chartered Accountants in

About the authors

You might also like