The Virtual Auditor and the Human Element
By Steve Stanek, KnowledgeLeader contributing writer
To properly fight fraud it is not enough to use leading technology solutions without using knowledgeable auditors. It is necessary to use both, says Patrick Taylor, founder and CEO of Oversight Systems, an Atlanta-based firm that provides businesses with real-time continuous transaction monitoring technology.
“Ideally, a company would want to marry the best of both approaches, particularly on the fraud detection side,” says Taylor. “Fraud is a singular event. You are looking for needles in a haystack. With technology, we can drill through the haystack and find the small pile of sharp things. Then we can use people to look through that small pile and see what those sharp things really are.”
Taylor uses a technology analogy to illustrate his point, “In theory, we could build a firewall to keep out every hacker, but in reality we cannot perfectly configure a system or anticipate everything a hacker might try. So, we also end up monitoring activity. The same thing holds true with fraud. We need to do both virtual and human fraud detection and prevention because nothing is perfect. Virtual systems and human fraud auditing complement each other.”
While automated technology can be designed to monitor every transaction and flag every item that falls outside certain parameters, it cannot apply judgment. “It is easier for a human to say there are too many things that look weird,” Taylor says. “A person can look at those weird things and determine if there is a problem or if it is something that is acceptable. A person can make a phone call or walk down a hallway and ask for additional information to make a more accurate judgment.”
The Human Element
Personal judgment also must come into play on certain issues, such as setting pension reserves, evaluating construction projects that may be delayed because of bad weather, and other items that fall outside workday routines.
“Humans have a huge advantage in looking at the non-routine transactions,” Taylor says. Technology though, has its own significant advantages especially when it comes to volume. A global health services company with 5,000 corporate cardholders learned this after Oversight Systems helped the company consistently review all cardholders’ transactions for compliance with company policies and government regulations. Before implementation of this technology solution, the company could not manage the volume of transactions for across-the-board review.
Oversight extracted data directly from the company’s IT outsourcer and transaction records from American Express. Oversight then objectively applied advanced analytics, which combines the tests and heuristics used by forensic accountants, auditors and fraud examiners to identify transactions that might constitute policy violations. Oversight’s workflow system flags potential “exceptions” and automatically logged them with all investigation and resolution data, created a permanent audit log for review of policy management and enforcement, and documented actions taken.
Taylor says the company can now cover all of its cardholder activities to efficiently and consistently handle policy violations, with just two “humans” assigned to the task. Within the first few months of implementation, the system had audited nearly one million transactions. Oversight also created custom analytics to focus on specific problem areas, such as repeat offenders. High-volume business processes such as general ledger, accounts payable, and accounts receivable are areas where virtual fraud auditing technologies work best, Taylor says.
Delays Come with a Cost
For a leading manufacturer, Oversight also provided technology solutions to help the company’s internal audit group streamline, automate and boost the effectiveness of its ongoing review of accounts payable and procure-to-pay controls. The internal audit group at this manufacturing firm was using a labor-intensive in-house approach to monitor controls over the company’s procure-to-pay processes. This approach only gave them retrospective views of their data up to six months. Months of delay could allow minor control weaknesses to grow into significant issues, Taylor says. The delays also created concerns about the relevancy and reliability of the data.
Oversight’s virtual auditor technology enabled the company to uncover control violations resulting in erroneous financial transactions, duplicate records and potential misuse in their procurement and accounts payable systems. The company’s internal audit director reports that, even before the analytics were fine-tuned for the company’s specific needs, Oversight had identified more than 100 duplicate vendors in the company’s system. Uncovering these duplicates on a timely basis prevented a more significant issue later in the process. More importantly, by enabling internal auditors to easily identify the root cause, Oversight helped the company develop and implement best practices for its accounts payable processes.
Newly implemented continuous transaction monitoring software now identifies control breakdowns and violations at every point in the process, which means these exceptions are fixed earlier, where remediation is less costly (i.e., eliminating duplicate vendors before they lead to duplicate vouchers; or duplicate vouchers before they result in duplicate payments, which must then be recovered after-the-fact). The director further reports the costs of implementation and operation have been easily recovered through a reduction in erroneous payments.
Some Fringe Benefits
Because most control issues that arise are not fraud-related and are the result of honest mistakes or faulty processes, the use of fraud prevention and detection technology also helps organizations improve controls and processes to generate cost savings.
“You could pay for a continuous monitoring system in operational improvements, and get great fraud coverage at the same time. After you do that, look at all the controls implemented under SOX and examine how they could be optimized or reduced through continuous monitoring,” Taylor says.
Further savings can come from the nature of virtual audit technology itself. Because it can be used to monitor all transactions in a totally objective manner, external auditors can rely more on the resulting work. As Taylor puts it, “This is another dimension for rationalizing SOX costs. If you architect the technology well, you can make your auditors more efficient as well.”
This is yet another way to justify the use of virtual audit technology comes from Audit Standard 5 (AS5), issued last summer by the Public Company Accounting Oversight Board (PCAOB). AS5 emphasizes the need for companies to take a top-down, risk-based approach to compliance issues. The PCAOB cites management override of controls as a major fraud risk. Fraud audit technology can be a valuable tool to address this risk, says Taylor.
“You should be able to use other companies’ trusted results and create a business case for what your company can expect,” he says. “It is also easy to track the dollar value of corrections that are made and identify direct savings. You do not need to catch many things to cost-justify this type of program.”
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |