A friend of mine is internal audit director for a major retail group. They had a case in South America, whereby the CFO had been entering strange journal entries around closing, in order to boost the figures a bit. They had the big 4 auditors there to do the audit for years on end, but no one ever noticed the needle in the haystack, which actually, in value terms, was more like an elephant in the teacup.
But the internal auditor had something up his sleeve; he had data analytics. Running the millions of lines of journal entries through his data analytics program, it was actually very easy to list out the users that had been entering journal entries (BKPF_USNAM for SAP…). It was then very easy to compare this list to the list of people that work in the company and their actual real names (table USR21 in SAP gives the mapping from user ID to personnel name).
From there, it’s really not very difficult to sort the journal entries by value (BSEG_DMBTR) and user in order to see who is entering the journal entries of the highest amount, even if entering rather few transactions. And, being a bit awake, whilst doing the audit, recognising the name of the CFO in the list of users entering journal entries was also not that difficult.
Much to say that the big 4 audit firm did receive a fine for not noticing.
So, there is a lot to do in a big organization in order to really be able to help the company to recognize fraud and avoid fines and prosecution. But often management does not give internal audit the resources that they need.
Obviously, you cannot expect people to look through millions of lines of data. Especially if your team is small.
This is why it is essential for internal auditors to be able to automate their work. The data analytics program that detected the fraud in South America can be re-used for all the other entities. Nothing is stopping that audit team from running such controls automatically in the background and setting up alerts when things look strange.
The more experience, the more ideas, and the more tests can be put in place to pick-up on known/ previously seen fraud cases.