Using DUDS to detect fraud

Using DUDS to detect fraud – dollar unit discovery sampling

James L. Boockholdt

SINCE INTERNAL AUDITORS do not provide any attestation of financial reports to the public, their direct legal responsibility is usually nominal. However, internal auditors, indirect legal responsibility is implied in Statement on Internal Auditing Standards (SIAS) No. 3, “Deterrence, Detection, Investigation, and Reporting of Fraud”; and, in instances that involve shareholder losses, it is conceivable that an internal auditor who fails to report or investigate indicators of fraud during audits could be held negligent in court.(1) Internal auditors should, therefore, assess the risk of encountered errors and irregularities (or possible ones) and be able to justify the reasonableness of their fraud-detection procedures.

While the level of “reasonableness” is a matter of audit judgment, an internal auditor can quantify the risk by using a statistical sampling approach in selecting transactions to be examined, for example, thereby providing a more defensible position during an inquiry. The National Commission on Fraudulent Financial Reporting (Treadway Commission) identified the two largest fraud categories in corporations as overstatement of assets (38% of all frauds) and improper recognition of revenue (47%)(2). Dollar unit discovery sampling (DUDS) can verify the existence and valuation of the most manipulatable accounts in these two categories, sales and inventory.

Internal auditors may use DUDS at either the subsidiary or corporate level, as suggested by the Treadway Commission. In addition to sales and inventory, DUDS could also be used in almost every facet of internal audits.

* Sales and Inventory Fraud The most frequently overstated revenue account is sales. Salesmen, branch managers, or those at a higher level whose income, bonuses, or even job security are tied into the sales activities, may have incentives to inflate sales. Income may be inflated by recording sales in an earlier time period than actually earned.

Nonexistent sales may be detected by selecting a sample of credit customers and confirming their account balances. Timing irregularities could be examined by selecting a sample of transactions around year-end and verifying that these transactions have been recorded in the proper period. Discovery sampling techniques allow the auditor to quantify and control the attained degree of assurance in these situations.

Another form of common fraud is overstated inventory. This understates Cost of Goods Sold and overstates Net Income. Such frauds are detected by taking test counts during physical inventory. By selecting a sample of inventory items, the auditor can determine the quantity on hand of each item in the sample and compare these test counts with quantities recorded. To detect overstated inventory, a sample of sufficient size must be selected. Discovery sampling is an effective way to control risk and to quantify degree of assurance when performing these tests of inventory.

* Discovery Sampling With discovery sampling, the auditor’s objective is to draw a sample containing at least one example of a fraud, if such a fraud is present. When the auditor finds one or more occurrences in the sample, the investigation is expanded to determine the extent of the problem.

The principal risk in discovery sampling is that the sample contains no instances of the fraud when fraud exists in the population. This risk varies according to how the sample is selected. The two methods for selecting the sample are random sampling and dollar unit sampling.

Random Sampling

When random sampling is used, the auditor draws conclusions concerning problem rates. For example, an auditor draws a random sample of 59 items from a large population and finds no instances of fraud. The auditor concludes with a risk factor of .05 (that is, 95% assurance) that the fraud rate is less than 5% .

The shortcoming of this approach is that the results provide no conclusions concerning the dollar amounts of possible frauds. In this example, suppose there were 50,000 items having an average book value of $40. Then the total book value is $2 million. Suppose the auditor regards $100,000 as material. If all items had the same book value, the random sampling approach would provide the appropriate assurance. This is be cause a $100,000 error equals 5% of the population.

However, in cases where items have substantially different book values, the random sampling approach provides little protection against the risk of failure to detect fraud. Using the previous example, suppose only 20 items are fictitious, and that these items have book values of $5,000 each, so that their total is $100,000. The probability that a random sample would detect this fraud is only 2.4%, giving a risk of .976 rather than .05. To find such a fraud with the desired risk, a random sample of greater than 7,000 is required. Because of this limitation, dollar unit sampling (sometimes called “sampling with probability proportional to size”) is preferred in searches for fraudulent items.

Dollar Unit Sampling

With dollar unit discovery sampling (DUDS), the auditor selects each item so that the probability of its being drawn is proportional to its book value. Such a plan provides little variability in the probability of selecting a fraud of a specific dollar amount regardless of the number of fraudulent items. A DUDS plan is equally effective in detecting either a fraud concentrated in a few large items, or a fraud spread out over many small ones.

* Implementing a DUDS Plan To implement a DUDS sampling plan, the auditor must first estimate three quantities:

S = the population book dollar amount. Usually this is the balance in the accounts receivable, sales revenue, or accounts payable accounts.

T = the tolerable error in dollars. This may be interpreted as the materiality threshold for the test.(3)

B = the tolerable risk of incorrect acceptance. This is the risk of failing to detect a fraud equal to the tolerable error.

An approximate formula for the sample size n is given by:

[MATHEMATICAL EXPRESSION OMITTED] In this equation, 1n[Beta] denotes the natural logarithm (or logarithm to the base e), and is provided by most business calculators. The value acquired through using this formula is rounded up. This provides a conservative estimate of the sample size, since the true risk for the resulting DUDS is slightly less than the value of B used in the formula.

To illustrate, consider the previous example in which the auditor wants 95% assurance that total fraud of $100,000 will be detected. In this case, S = $2,000,000, T = $100,000, and B = .05. Then n is determined as follows:

[MATHEMATICAL EXPRESSION OMITTED] Note that this sample size is approximately the same as the sample size needed for a 5% error rate with random sampling. This shows how using DUDS costs little in efficiency but provides better control of risk than random sampling.

* Alternative DUDS Procedures Either of two approaches may be used in implementing a DUDS plan: the systematic approach or the random-dollar approach (not to be confused with the random approach described above.)

The Systematic Approach

Exhibit 1 shows a small population and a small sample size. The account being examined contains 40 items

Exhibit 1 EXAMPLE OF SYSTEMATIC DUDS Random Number between 0 and 3000 Assumed Random Number – 884

Item Book Cumulative Results

1 $283 283

2 700 893 884 Selected

3 106 1,089

4 31 1,120

5 635 1,755

6 913 2,668

7 88 2,756

8 1,304 4,060 3,884 Selected

9 2,070 6,130

10 1,005 7,135 6,884 Selected

11 289 7,424

12 1,266 8,690

13 2,500 11,190 9,884 Selected

14 1,698 12,888 12,884 Selected

15 1,404 14,292

16 231 14,523

17 995 15,518

18 324 15,842

19 135 15,977 15,884 Selected

20 1,414 17,391

21 1,150 18,541

22 1,200 19,741 18,884 Selected

23 835 20,576

24 1,350 21,926 21,884 Selected

25 400 22,326

26 48 22,374

27 610 22,984

28 1,502 24,486

29 231 24,717

30 853 25,570 24,884 Selected

31 730 26,300

32 183 26,483

33 200 26,683

34 500 27,183

35 712 27,895 27,884 Selected

36 403 28,298

37 215 28,513

38 400 28,913

39 102 29,015

40 985 30,000

with book values shown in the second column. Assume that S = $30,000, the internal auditor has determined that the value of B = .10 is appropriate, and T = $7,000. Applying the sample size formula, the auditor arrives at:

[MATHEMATICAL EXPRESSION OMITTED] which is rounded up to 10.

To apply the systematic approach, the auditor must create cumulative totals of book values as shown in the third column. Next, the auditor computes J, the dollar unit sampling interval. This equals the total book value of the account divided by the sample size. For the data in Exhibit 1, it is:

[MATHEMATICAL EXPRESSION OMITTED] The auditor then uses a random number table or generator to select a number between 0 and 3,000. Assume that in this case the random number drawn is 884. The auditor then selects the items representing the 884th dollar, the 3,884th dollar, and the 6,884th dollar, and so on through the 27,884th dollar. These items are marked in the far right-hand column of Exhibit 1.

The Random-dollar Approach

Exhibit 2 illustrates an alternative DUDS procedure, the random-dollar approach. The first three columns in this table are identical to those in Exhibit 1. The sample size calculation, resulting in a value of N = 10, is also the same. The last column differs, however, showing that the random-dollar approach produces a different sample. Using this approach, the auditor selects a random number between 0 and the account book value for each item in the sample. The auditor then includes in the sample the item containing this randomly chosen dollar. Exhibit 2 EXAMPLE OF DUDS Random Numbers between 0 and 30,000 Assumed random numbers in order are: (1) 24,719; (2) 12,010; (3) 1,406; (4) 29,456; (5) 4,200; (6) 6,894; (7) 9,165; (8) 2,044; (9) 12,507;* (10) 17,200; (11) 8,400*

Item Book Cumulative Results

1 283 283

2 700 983

3 106 1,089

4 31 1,120

5 635 1,755 1,406 Selected

6 913 2,668 2,044 Selected

7 88 2,756

8 1,304 4,060

9 2,070 6,130 4,200 Selected

10 1,005 7,135 6,894 Selected

11 289 7,424

12 1,266 8,690 8,440 Selected*

13 2,500 11,190 9,165 Selected

14 1,698 12,888 12,010 Selected*

15 1,404 14,292

16 231 14,523

17 995 15,518

18 324 15,842

19 135 15,977

20 1,414 17,391 17,200 Selected

21 1,150 18,541

22 1,200 19,741

23 835 20,576

24 1,350 21,926

25 400 22,326

26 48 22,374

27 610 22,984

28 1,502 24,486

29 231 24,717

30 853 25,570 24,719 Selected

31 730 26,300

32 183 26,483

33 200 26,683

34 500 27,183

35 712 27,895

36 403 28,298

37 215 28,513

38 400 28,913

39 102 29,015

40 985 30,000 29,456 Selected

(*) Since Item 14 was selected twice, an additional random number was drawn, resulting in the selection of Item 12.

In the example of Exhibit 2, the auditor selects 10 random numbers between 0 and 30,000. For each random number, the sampled item is that one containing the cumulative total above it. For example, the third random number is 1,406. This means that the sampling procedure has randomly selected the 1,406th dollar in the account. The 1,406th dollar is on item number 5. Its cumulative total is 1,755 and it has a book value of $635.

This procedure allows the selection of items more than once. When this occurs, the auditor must select additional numbers until an adequate sample is chosen. In the example, Item 14 was selected with both the second and the ninth random numbers. To make up for this, the auditor chose an eleventh random dollar.

Under current auditing standards, the auditor may use either the systematic approach or the random-dollar approach. In either case, the above formula provides a good approximation to the sample size. Many auditors consider the systematic approach easier to implement. However, the random-dollar approach is preferred theoretically. One can show that, using the random-dollar approach, the formula is conservative for any possible sample size and arrangement of account book values.

Treatment of Material Items

An auditor usually would prefer to examine all material items during an audit. This happens automatically with the systematic approach. However, if the auditor chooses the random-dollar procedure, he or she should first examine those items in the account whose book values exceed the tolerable error. The auditor then selects a sample (as above) from the remaining amounts in the population.

To illustrate, assume as before that the total population value is $2 million, the tolerable error is $100,000, and the tolerable risk is .05. Further, assume that there are five items with balances greater than or equal to $100,000 and that there are five items with balances greater than or equal to $100,000 and that their amounts are $250,000, $200,000, $150,000, $100,000, and $100,000. These items have a total book value of $800,000. The auditor examines all five of these items and selects a sample from the remaining items in the account. To calculate the required sample size, the auditor uses the total book value for the remaining items; that is, S = $2,000,000 – $800,000 = $1,200,000. Therefore, the proper size for the sample is:

[MATHEMATICAL EXPRESSION OMITTED] The overall sampling plan requires that the auditor draw and examine 41 items from the account, including the five exceeding the tolerable rate and the 36 that are randomly selected.

The treatment for material items demonstrates an advantage of DUDS. As the number of individually significant items increases, the total number of sample items decreases when compared to the other sample selection method.

Precautions

Proper use of discovery sampling controls sampling risk and documents that the auditor has exercised “due professional care.” However, as with any other specialized technique, the auditor must exercise precautions.

First, the auditor must ensure that procedures are consistent with all relevant auditing standards. The auditor may want to refer to relevant SASs and SIASs regarding assessment of fraud risk and actions when fraud is discovered. The auditor should implement procedures for determining tolerable error and tolerable risk that are consistent with SAS 39.

Second, the auditor must ensure that he or she is sampling from the entire targeted population. Failure to do so may prevent detection of fraudulent items that have been deleted from subsidiary records prior to the audit.

Third, the procedures used to examine the selected items must provide reasonable assurance that any sampled fraudulent items will be detected. The auditor must trace them to underlying documentation and obtain competent evidence regarding the validity of the amounts. Since missing items are to be treated as errors, the auditor must find or reconstruct the evidence needed to evaluate the legitimacy of any missing item. Satisfactory resolution must be made for each sampled item.

* Conclusions Discovery sampling can be used by internal auditors to demonstrate compliance with their implied fraud detection requirements. This approach is also useful as an initial reactive technique, such as screening an account after an informant tipping. Samples are chosen so that if fraudulent transactions or account balances exist, at least one of them will be included. If such a fraudulent item is found, the auditor can conduct an investigation to determine the extent of the fraud. The extent of assurance obtained for this audit procedure is the complement of the audit risk associated with the statistical test.

Using discovery sampling for this purpose has three major advantages. First, it allows the internal auditor to quantify the degree of assurance obtained. This provides an objective measure of the risk that a material fraud exists undetected. Second, discovery sampling allows the internal auditor to control this risk. The risk can be decreased by increasing the sample size and increased by decreasing sample size. This allows auditors to trade off the risk they are willing to accept with the costs of obtaining added assurance through a larger sample size. Finally, the ability to quantify the risk of undetected material fraud allows auditors to standardize at a desired level of assurance throughout their engagement. Unless such procedures are prompted by reliable informants, using a consistent assurance level would help the internal audit department demonstrate its alertness to fraud and its high level of “due professional care” to management and external auditors, who must now evalute the internal auditing department strength under SAS 65.

A strong internal audit department enhances the organization’s creditability in the eyes of the public and the regulators. In addition, since external auditors may assess additional audit fees for providing supplementary procedures in cases of weak internal control, substantial savings could be realized. (1) Lawrence Sawyer, Sawyer’s Internal Auditing, Third Edition (Altamonte Springs,FL: The Institute of Internal Auditors), 1988, p. 1176. (2) Report of the National Commission on Fraudulent Financial Reporting, 1987, p. 112. (3) See AICPA CodiJied Professional Standards, Volume 1, Section AU 350.18.

James L. Boockholdt, PhD, CPA, is a Professor at Samford University in Birmingham, Alabama.

Stanley Y. Chang, PhD, CIA, CMA, CPA, is an Assistant Professor at Arizona State University West in Phoenix, Arizona.

David R. Finley, PhD, CPA, is an Associate Professor at Simon Fraser University, Burnaby, Canada.

COPYRIGHT 1992 Institute of Internal Auditors, Inc.

COPYRIGHT 2004 Gale Group