A friend of mine is internal audit director for a major retail group. They had a case in South America, whereby the CFO had been entering strange journal entries around closing in order to boost a bit the figures. They had the big 4 auditors there to do the audit for years on end, but no-one ever noticed the needle in the haystack, which, actually, in value terms, was more like an elephant in the teacup.
But the internal auditor had something up his sleeve, he had data analytics. Running the millions of lines of journal entries through his data analytics program, it was actually very easy to list out the users that had been entering journal entries (BKPF_USNAM for SAP… ). It was then very easy to compare this list to the list of people that work in the company and their actual real names (table USR21 in SAP gives the mapping from user ID to personnel name).
From there, it’s really not very difficult to sort the journal entries by value (BSEG_DMBTR) and user in order to see who is entering the journal entries of the highest amount, even if entering rather few transactions. And, being a bit awake, whilst doing the audit, recognising the name of the CFO in the list of users entering journal entries was also not that difficult.
Much to say that the big 4 audit firm did receive a fine for not noticing.
So, there is a lot to do in a big organization in order to really be able to help the company to recognize fraud and avoid fines and prosecution. But often management does not give internal audit the resources that they need.