Toward the end of the spring season, our team was contacted by the internal audit head of a global retail organization who requested that we investigate several abnormal transactions in a recently acquired subsidiary, referred to as "PQR," located in the western region of India. During a detailed discussion with the IA Head, he provided us with a brief overview of the anomalies, which included irregular transactions that were restated as follows:
- A significant portion of direct overhead costs were attributed to vendors who were sister concerns of the PQR's predecessor management.
- The stock of raw materials as per the books did not match with the actual physical count of raw materials.
- A few whistle-blower complaints were received suddenly during the pre-acquisition period, related to party transactions.
Based on this information, we structured the project to follow a six-step approach, beginning with a process understanding and walkthrough. This is then followed by L1 checks on all vendors, incorporating public domain searches over corporate registry records, tax records, social media searches, blogs, testimonials and other available sources. Transaction testing is performed next, encompassing the entire procure-to-pay process to determine the actual transaction. Market benchmarking is then carried out, consisting of sourcing inquiries from the market by performing a mystery shopping exercise. Access testing will also be conducted, which consists of analysing and reviewing the transactions and access logs from the inventory and accounting module of the ERP. Finally, observations and recommendations are reported to the head of the organization.
After agreeing to the above scope, we initiated our work and adopted meticulous approach to investigate the concerns expressed by the IA Head:
To begin with, a thorough L1 Check was conducted on the vendors that constitute the direct overheads of the company. We observed that six vendors had a common director and key managerial personnel (KMP) relationship with the former promoters and directors of PQR. Further, three additional vendors were identified through social media searches as being linked to family members of the promoters and directors.
Next, detailed transaction level testing was conducted, along with market benchmarking, for the transactions identified with the above nine vendors. Detailed transaction testing revealed anomalies for the previous year, including goods sold at a 40% higher rate than the prevailing market rates and payment for a few materials that were never received by PQR, and that the books had been closed on the authorization of the CFO.
Then, we obtained the audit and transactional log of the inventory module of the warehouse and performed analytics over the logs, which revealed that access was given to individuals whose roles did not match their responsibilities, unauthorized changes were made in the inventory module by those individuals and period-end adjustments were made without approval notes from management.
Finally, based on the above findings, we presented a fact-finding report to management comprising the allegations investigated, procedures adopted, outcome of investigation, accountability based on the approvals and interviews with the process owners and next steps.
Our Learnings From the Case
- At the start of the project, adopt a basic framework or structure to establish a standard. If a new approach is introduced, upgrade the initial framework accordingly.
- Public domain checks are a vital tool for establishing connections and identifying undisclosed relationships.
- Conducting detailed transaction testing makes it easier to trace the entire transaction process and identify the parties involved in the process, including the source and end of the transactions.
- The analysis of audit and transactional logs is essential in uncovering unauthorized changes made within a system.