1 / 22

LEARNING FROM WORLDCOM: IMPLICATIONS FOR FRAUD DETECTION THROUGH CONTINUOUS ASSURANCE

LEARNING FROM WORLDCOM: IMPLICATIONS FOR FRAUD DETECTION THROUGH CONTINUOUS ASSURANCE. J. Randel Kuhn, Jr. University of Central Florida Steve G. Sutton University of Central Florida University of Melbourne. Purpose of the Study.

thomascraig
Télécharger la présentation

LEARNING FROM WORLDCOM: IMPLICATIONS FOR FRAUD DETECTION THROUGH CONTINUOUS ASSURANCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LEARNING FROM WORLDCOM: IMPLICATIONS FOR FRAUD DETECTION THROUGH CONTINUOUS ASSURANCE J. Randel Kuhn, Jr. University of Central Florida Steve G. Sutton University of Central Florida University of Melbourne

  2. Purpose of the Study • To examine the key methods of fraud utilized by the management at WorldCom and to demonstrate how the use of established principles of analytic monitoring could be used to detect fraud executed through normal operating transactions. • To demonstrate integration procedures for the prescribed monitoring in an SAP-based enterprise systems environment similar to WorldCom’s. • To highlight the intractable monitoring problem presented by the myriad of loosely connected legacy systems feeding into WorldCom’s consolidated SAP system.

  3. Contribution to Continuous Audit Research • Provides detailed understanding of how continuous assurance techniques explored in the research literature can be applied to effectively identify fraud in a known fraud situation. • Moves the literature on continuous audit modules forward by addressing the complexities of implementation within a standardized enterprise software environment. • Addresses the realities and risks associated with large numbers of disparate legacy systems.

  4. Fraud Strategies at WorldCom • Categorize operating expenses as capital expenditures. • Reclassify acquired MCI assets as goodwill. • Include future company expenses as write-downs of acquired assets. • Manipulate the bad debt reserve calculations.

  5. Continuous Assurance Framework • Traditional attestation framework provides only a snapshot of the financial reporting system, thus inhibiting timely decision-making and limiting audit scope. • Continuous auditing addresses these faults by immediately identifying irregularities, increasing audit coverage, and functioning remotely.

  6. Continuous Assurance Framework • Early work by Groomer and Murthy (1989) and Vasarhelyi and Halper (1991) laid the foundation for continuous auditing research. • The three phases of continuous auditing are: 1. Measurement – key management reports (e.g. financials) 2. Monitoring – comparison to metrics and error notification 3. Analysis – auditor review of alarms and investigation • Nature of auditing transforms from substantive-based test of details approach to auditing by exception.

  7. Framework To Other Stakeholders Alarms Monitoring Analytics and Exception Reporting Audit Exceptions External Information Internal and External Monitoring Metrics To Operations Corporate Strategic and Tactical Metrics Scorecard Monitoring IT Structure Corporate IT structure incorporating, legacy, ERPs, middleware, and Web Internal Information Obtained from Vasarhelyi working paper, Rutgers University.

  8. System Architecture • The integrated platforms and automated business processes of ERP applications enable effective use of continuous auditing procedures. • WorldCom utilized an SAP R/3 enterprise system to process business transactions and produce consolidated financial statements.

  9. System Architecture • Two continuous auditing system architecture models exist in research literature: 1. Monitoring and Control Layer (MCL) 2. Embedded Audit Module (EAM) • MCL uses an independent server controlled by the auditor that receives scheduled data interfaces from the client’s enterprise system (i.e. near real-time) and is analyzed against a set of rules.

  10. System Architecture • EAM functionality/logic is embedded into the client’s system and operates real-time. • MCL represents the least intrusive, most efficient, and more independent alternative; especially in a resource-constrained SAP environment. • Data extraction for MCL can occur via either BAPI with RFC or direct extraction from table data (e.g. GLPCT/GLPCA).

  11. Continuous Audit Data Flow (MCL) SAP R/3 (GLPCA/GLPCT) Continuous Extraction via RFC Extractor Relational Database Data Testing Alerts Exception Report Auditor CA Analyzer (with rule-set)

  12. CA Analyzer Rule-Set #1 • Fraud: • Categorize operating expenses as capital expenditures. • Detection Measure: • Compare ratios of Operating Expenses to Sales Revenue and • Capital Expenditures to Sales Revenue to industry averages. • Analytic Metric: • IF OpEx to Sales ratio is > 2% below .93 AND CapEx to Sales ratio • is > 5% above .15, THEN create alert. • Note: WorldCom’s 12/31/01 OpEx/Sales and CapEx/Sales ratios were .90 and .22 • exceeding the threshold by $946m and $585m, respectively.

  13. CA Analyzer Rule-Set #2 Fraud: Reclassify acquired MCI assets as goodwill. Detection Measure: Identify significant changes to asset and goodwill accounts. Analytic Metric: IF Property, Plant, and Equipment and Goodwill account balances increase or decrease by > .01% from the last extraction, THEN create alert. Note: WorldCom Goodwill balance as of 12/31/01 was $50.5b. A .01% change would have been $5.05m. Actual account balance change for the year was $3.9b.

  14. CA Analyzer Rule-Set #3 • Fraud: • Include future company expenses as write-downs of acquired assets. • Detection Measure: • Compare operating profit (i.e. revenue – operating expenses) to • industry trend. • Analytic Metric: • Graph the monthly statistic of (revenue – operating expenses) for • the past 12 months. IF the slope of the trend (x=exp, y=rev) is positive, • THEN create alert. • Note: During the fraudulent years, the telecommunication industry experienced rising operating • costs in relation to revenue (i.e. consistent negative slope).

  15. CA Analyzer Rule-Set #4 • Fraud: • Manipulate the bad debt reserve calculations. • Detection Measure: • Compare estimates of bad debt allowance to historical averages. • Analytic Metric: • IF the change in the ratio of Bad Debt Allowance to Accounts • Receivable is > 1% below last month’s figure, THEN create alert. • Note: A 1% decrease in estimate for WorldCom in 2001 would have resulted in a • revenue increase of $23m. WorldCom actually reduced the estimate by 1.4% from prior • year saving $87m in bad debt expense.

  16. Continuous Audit Data Flow (MCL) SAP R/3 (GLPCA/GLPCT) Continuous Extraction via RFC Extractor Relational Database Data Testing Alerts Exception Report Auditor CA Analyzer (with rule-set)

  17. Legacy System Complexities • Disparate systems built on various technological foundations complicate the design, use, and maintenance of continuous auditing applications. • Auditing the consolidated financial system provides only limited assurance. • The nature of the data collection for the billing process at WorldCom illustrates the complexity.

  18. WorldCom Billing Process Billing #1 Billing #2 SAP R/3 (Revenue & A/R) Billing #30 Legacy Billing Systems Telephone Switches Traffic Systems

  19. Importance of the Study • Demonstrates how a reasonable and practical implementation of continuous assurance would have detected a major fraud. • Emphasizes practicality of implementation in an enterprise systems environment. • Recognizes the inherent complexities of continued use of legacy systems and the related risk in any financial audit.

  20. Implications for Future Research • Continuous audit is possible, but what are the challenges facing a comprehensive implementation? • Cost? • Consumption of system resources? • Scalability? • Maintainability of comparison data/trends?

  21. Implications for Future Research • What are the organizational and human issues involved? • Perceptions of trust? • Gaming behavior? • Human interpretation and use of data? • Information processing biases? • Information overload?

  22. LEARNING FROM WORLDCOM: IMPLICATIONS FOR FRAUD DETECTION THROUGH CONTINUOUS ASSURANCE J. Randel Kuhn, Jr. University of Central Florida Steve G. Sutton University of Central Florida University of Melbourne

More Related