An improvement of data analytics detection rules in the internal audit of the procurement and inventory processes

Abstract

Data analytics is a powerful tool to deliver value-added internal audit results as it reduces execution time and increases efficiency, effectiveness, and assurance level compared with the audit sampling approach. Because detection rules are criteria applied in the data analytics method to discover anomalies in the business transactions. Therefore, this project aims to improve the anomaly detection rules in the procure-to-pay and inbound inventory processes for an audit firm based in Thailand to provide internal audit services for clients in the manufacturing business. The sub-processes cover (1) process governance, (2) vendor selection, evaluation, and master data maintenance, (3) ordering, (4) goods receipts, (5) invoice processing, and (6) payment.

The project methodology comprises 4 steps. Firstly, the processes and the animal feed manufacturing business which is relevant to the case study company were understood. Then, the draft of business process flows, risk and control matrix, and detection rules were prepared. The information is based on 16 current detection rules of the TH office, TH office’s knowledge management database, international institutes’ publications, academic journals, and the author’s 9-year internal audit working experience. In the second step, these materials were used for discussing with two subject matter experts in order to ensure that key risks, internal controls, and detection rules were identified adequately. As a result of understanding the processes and interviewing with the experts, 15 out of 16 detection rules of the TH office were applicable to the case study company and needed no adjustment. The remaining rule was improved by enhancing detection aspects. Furthermore, additional 18 rules were identified to complete reviewing the P2P and inbound inventory processes.

Next, all of the 34 improved detection rules (15 existing, 1 improved, and 18 new rules) were tested their effectiveness with the data set generated based on the animal feed producer’s purchasing transactions. After testing the effectiveness of all rules in Microsoft Excel, they discovered more findings (100% increase) and suspicious transactions for further investigation (157% increase) compared with the existing 16 rules. For example, it appears that all the procurement staff is responsible for both vendor master data maintenance and PO creation roles which increase the opportunity of embezzlement. Another example is that 0.46% of purchasing transactions received goods over than user’s requirements which raises unnecessary inventory cost and risk of the rotten feed ingredient. However, no additional area for improvement was found by the improved rules. Lastly, even though the improved rules found no exception by 150% increase from the original ones, these new rules escalate the confidential level through testing all or larger transactions than the small sample size.

From the above advantages of applying detection rules through the data analytics method, there are opportunities for future work to enhance the scope of detection rules development to other business processes, other industries as well as the same industries but other kinds of products. Moreover, there is an opportunity to test the rules with the other advanced data analytics tools or develop a programme to automatically detect anomalies. In addition, other researchers can link the rules with the ERP data for real-time data analytics. However, applying detection rules has some limitations that need to be considered such as availability of data and tools as well as required skills. In addition, success in detecting anomalies depends on interpreting data analytics results by the internal auditors and deliberately data manipulation to close the gaps by perpetrators.