Finance AI Skill
Expense Audit
Design and execute expense audit programs including policy compliance reviews, anomaly detection, fraud investigation, and continuous monitoring frameworks. Use when conducting expense audits, detecting fraud patterns, building audit workflows, or implement...
Expense Audit & Compliance
Design and execute comprehensive expense audit programs including policy compliance reviews, anomaly detection, fraud investigation, and continuous monitoring frameworks to protect organizational assets and ensure expense policy adherence.
Workflow
Phase 1: Audit Program Design
- Audit scope and objectives:
- Define audit universe (all expenses, by department, by region, by risk tier)
- Risk assessment: identify high-risk areas (travel, entertainment, vendor payments)
- Policy review: current expense policy vs. industry best practices
- Regulatory requirements (SOX, GDPR data in receipts, local tax implications)
- Sampling methodology:
- Risk-based sampling (higher risk = larger sample)
- Stratified sampling by category, amount, department
- Statistical vs. judgmental sampling criteria
- Full-population automated testing where feasible
- Audit criteria development:
- Compliance checklist (receipt requirements, approval hierarchy, policy limits)
- Red flag indicators (duplicate submissions, weekend expenses, round-dollar amounts)
- Materiality thresholds (de minimis, significant, critical)
- Benchmark comparisons (industry averages, historical trends)
Phase 2: Audit Execution
- Data collection and preparation:
- Extract expense data from ERP/expensing system
- Data validation and completeness check
- Normalization across data sources
- Anonymization (privacy protection where required)
- Automated analysis:
- Duplicate detection (same amount, same date, same vendor)
- Policy violation scanning (over-limit, missing receipt, unauthorized category)
- Benford's Law analysis (statistical anomaly detection)
- Network analysis (related-party detection, circular reimbursements)
- Detailed testing:
- Sample selection and documentation
- Receipt verification (authenticity, completeness, policy alignment)
- Approval workflow review (proper authorization, segregation of duties)
- Vendor validation (legitimacy, related-party screening)
- Fieldwork and interviews:
- Employee interviews (select cases, fact-finding)
- Manager interviews (oversight practices, awareness)
- Finance team interviews (process understanding, controls)
- Documentation of findings and evidence
Phase 3: Reporting & Remediation
- Findings synthesis:
- Issue categorization (fraud, error, policy gap, system limitation)
- Root cause analysis (process, system, training, culture)
- Financial impact quantification
- Risk rating (critical, high, medium, low)
- Reporting:
- Management report (executive summary, detailed findings, recommendations)
- Board/audit committee report (high-level overview, material findings)
- Individual notifications (where appropriate, per HR policy)
- Trend analysis and year-over-year comparison
- Remediation tracking:
- Action plan development (owner, deadline, expected outcome)
- Follow-up and validation of remediation
- Policy updates and process improvements
- System enhancements and control automation
Templates
Expense Audit Program Framework
EXPENSE AUDIT PROGRAM — Annual Framework
==========================================
Version: [2025-01] | Audit Committee Approved
AUDIT OBJECTIVE:
Assess the effectiveness of expense management controls, detect policy
violations and potential fraud, and recommend improvements to reduce
risk, improve compliance, and optimize expense management processes.
AUDIT SCOPE:
Period under review: January 1, 2024 — December 31, 2024
Total expenses: $24.8M across 12,400 submissions
Coverage: All departments, all regions, all expense categories
Exclusions: Payroll-related expenses (covered under payroll audit)
RISK ASSESSMENT:
┌──────────────────────────────┬──────────┬───────────┬────────────────┐
│ Risk Area │ Likelihood│ Impact │ Audit Effort │
│ │ │ │ Allocation │
├──────────────────────────────┼──────────┼───────────┼────────────────┤
│ Duplicate submissions │ Medium │ High │ 15% │
│ Receipt fraud/forgery │ Low │ Critical │ 20% │
│ Policy non-compliance │ High │ Medium │ 25% │
│ Related-party transactions │ Low │ Critical │ 15% │
│ Travel over-limit │ High │ Low │ 10% │
│ Entertainment misclassification│ Medium │ High │ 10% │
│ System control weaknesses │ Medium │ Medium │ 5% │
└──────────────────────────────┴──────────┴───────────┴────────────────┘
SAMPLING METHODOLOGY:
Automated testing: 100% of transactions (rule-based screening)
Manual testing:
• > $10,000: 100% review
• $5,000 — $10,000: 50% sample
• $1,000 — $5,000: 25% sample
• $500 — $1,000: 10% sample
• < $500: 5% sample
• High-risk categories (travel, entertainment): +10% sample rate
• New employees (< 6 months): +5% sample rate
Total manual sample: ~1,240 submissions (10% of population)
AUDIT CRITERIA:
Receipt requirements:
✓ All expenses > $25 require itemized receipt
✓ Receipt must show: vendor, date, amount, items purchased
✓ Digital receipts acceptable (email, e-receipt)
Approval hierarchy:
✓ < $500: direct manager approval
✓ $500 — $5,000: skip-level approval
✓ > $5,000: department head + finance approval
Policy limits:
✓ Meal per diem: $75/domestic, $125/international
✓ Lodging: $250/domestic, $350/international (tiered by city)
✓ Entertainment: $500/event maximum, pre-approval required
✓ Mileage: $0.67/mile (IRS rate)
Timing:
✓ Submission within 30 days of expense date
✓ No retroactive approvals > 90 days
RED FLAG INDICATORS:
1. Duplicate: same amount, same vendor, same date (or ±1 day)
2. Split receipt: multiple small claims just under approval threshold
3. Weekend/holiday: expense dates falling on non-business days
4. Round dollar: amounts at exact $50, $100, $500 increments
5. Missing receipt: claims submitted without required documentation
6. Vendor anomaly: personal accounts (Venmo, CashApp), unusual merchants
7. Geographic mismatch: expense location inconsistent with travel itinerary
8. Frequency: unusual volume from single employee in short periodAudit Findings Report Template
AUDIT FINDINGS REPORT — Expense Audit Q4 2024
================================================
Report Date: 2025-01-15 | Distribution: CFO, Audit Committee, Department Heads
EXECUTIVE SUMMARY:
Overall assessment: Controls are MODERATELY EFFECTIVE
Total findings: 14 (2 Critical, 4 High, 5 Medium, 3 Low)
Financial impact: $187,400 identified in questionable expenses
Fraud indicators: 3 cases under investigation
Compliance rate: 89.2% (target: 95%)
FINDING #1 — Duplicate Expense Submissions (HIGH)
Risk rating: HIGH | Financial impact: $42,300
Frequency: 37 duplicate pairs detected across 28 employees
Root cause: System does not flag near-duplicate submissions; manual review
process inconsistent
Evidence: Automated scan identified 37 duplicate pairs totaling $42,300
(examples: Employee A submitted two $245 travel claims on
consecutive days with identical vendor)
Recommendation:
✓ Implement automated duplicate detection in expensing system
✓ Add duplicate check to manager approval workflow
✓ Retroactive investigation for 2024 submissions
✓ Recovery action for identified duplicates (14 cases deemed
unintentional — education; 23 cases flagged for recovery)
FINDING #2 — Receipt Fraud Indicators (CRITICAL)
Risk rating: CRITICAL | Financial impact: $67,800 (under investigation)
Frequency: 3 employees flagged for suspicious receipt patterns
Root cause: Manual receipt verification insufficient; system lacks
image authentication capabilities
Evidence:
• Employee X: 12 expense claims with identical receipt font/spacing
(suggesting digital manipulation) — $28,400
• Employee Y: 8 expense claims at non-existent vendor (name similarity
to real vendor) — $21,600
• Employee Z: 15 expense claims with weekend timestamps but receipt
dates on weekdays — $17,800
Recommendation:
✓ Immediate HR + internal audit investigation
✓ Implement receipt OCR with authenticity verification
✓ Vendor validation against known business database
✓ Recovery action pending investigation outcome
FINDING #3 — Travel Policy Non-Compliance (MEDIUM)
Risk rating: MEDIUM | Financial impact: $54,200
Frequency: 156 over-limit submissions (not pre-approved)
Root cause: Unclear communication of city-tiered lodging limits;
booking system does not enforce limits at point of booking
Evidence: Automated policy scan identified 156 submissions exceeding
lodging or meal per diem limits without pre-approval
Recommendation:
✓ Integrate policy limits into travel booking system
✓ Pre-approval workflow for exceptions
✓ Refresher training for all employees
✓ Department-level compliance dashboards
FINDING #4 — Related-Party Transaction Weakness (HIGH)
Risk rating: HIGH | Financial impact: $23,100
Frequency: 7 claims involving vendors linked to employees
Root cause: No automated related-party screening; disclosure process
relies on self-reporting
Evidence: Cross-referencing vendor bank accounts with employee
direct deposit accounts identified 7 potential matches
Recommendation:
✓ Implement automated related-party screening
✓ Mandatory conflict-of-interest disclosure annualization
✓ Policy update: prohibition on personal gain from vendor selection
✓ Review all vendor relationships for 2024
REMEDIAL ACTIONS STATUS:
┌──────────────────────────────┬───────────┬──────────┬───────────┐
│ Action │ Owner │ Deadline │ Status │
├──────────────────────────────┼───────────┼──────────┼───────────┤
│ Duplicate detection system │ IT/Finance│ Feb 28 │ Planned │
│ Receipt OCR implementation │ IT │ Mar 31 │ Planned │
│ Travel policy training │ HR │ Jan 31 │ In Progress│
│ Related-party screening │ Finance │ Feb 15 │ Planned │
│ Fraud investigation closure │ IA/HR │ Feb 28 │ Active │
│ Vendor validation database │ Procurement│ Mar 15 │ Planned │
│ Recovery process execution │ Finance │ Jan 31 │ Active │
└──────────────────────────────┴───────────┴──────────┴───────────┘
CONTINUOUS MONITORING RECOMMENDATIONS:
1. Monthly automated duplicate scan (all transactions)
2. Quarterly policy compliance review (stratified sample)
3. Annual Benford's Law analysis (statistical anomaly detection)
4. Real-time alerts for: > $10K submissions, weekend expenses,
new vendor first use, related-party matches
5. Annual audit program refresh and risk reassessmentIntegration Points
- Expense management: Concur, Expensify, Rippling, Zoho Expense
- ERP systems: SAP, Oracle NetSuite, Microsoft Dynamics, Workday
- Audit management: TeamMate, AuditBoard, WorkflowMax
- Analytics tools: ACL (Galvanize), IDEA, Tableau, Power BI
- OCR platforms: Abbyy, Veryfi, Extractable (receipt processing)
- Fraud detection: AI-powered anomaly detection platforms
- eDiscovery: Relativity, Nuix (document review for investigations)
- HR systems: Workday, BambooHR (employee data, disciplinary action)
- Case management: Jira, ServiceNow (finding tracking, remediation)
- Communication: Slack, email, MS Teams (alerting, reporting)
Edge Cases
| Scenario | Handling | |----------|----------| | C-level executive flagged for policy violation | Handle through confidential channel; notify audit committee; avoid public reprimand | | Evidence of systematic fraud (not isolated) | Engage legal counsel; preserve evidence; consider law enforcement referral | | Employee denies violation during interview | Document response; escalate per HR policy; focus on evidence not testimony | | Audit findings reveal systemic policy flaw | Recommend policy revision; separate process finding from individual violations | | Data privacy conflict (employee data in audit) | Consult legal; anonymize where possible; limit access to audit team | | Retaliation concern after audit | Monitor flagged employees; ensure protection per whistleblower policy | | Audit scope expanded mid-engagement | Formal scope change documentation; reassess timeline and resources | | Management disputes audit findings | Present evidence clearly; allow management response in report; escalate to audit committee |
Output
Audit Program Dashboard
EXPENSE AUDIT — Program Dashboard
==================================
As of: 2025-01-15
AUDIT STATUS:
Current audit: Annual Expense Audit 2024
Phase: Reporting & Remediation
Completion: 85% (3 of 4 phases complete)
Estimated close: January 28, 2025
KEY METRICS:
Universe tested: $24.8M | 12,400 submissions
Sample tested: $2.4M | 1,240 submissions (10%)
Automated testing: 100% of population (rule-based)
COMPLIANCE OVERVIEW:
Overall compliance rate: 89.2% [██████████████████████░░░░░░] (target: 95%) ⚠
Receipt compliance: 94.5% [█████████████████████████░░░] ✓
Approval compliance: 96.8% [████████████████████████████] ✓
Policy limit compliance: 87.1% [██████████████████████░░░░░░] ⚠
Timely submission: 91.3% [█████████████████████████░░░] ✓
FINDINGS SUMMARY:
Critical: 2 [████] — Investigation active
High: 4 [████████] — Remediation planned
Medium: 5 [████████████] — Remediation in progress
Low: 3 [█████] — Acceptable risk / monitoring
FINANCIAL EXPOSURE:
Questionable expenses: $187,400
Duplicate amount: $ 42,300 (recovery target)
Over-limit unapproved: $ 54,200 (training + system fix)
Fraud under investigation: $67,800 (pending outcome)
Related-party exposure: $ 23,100 (screening + policy fix)
REMEDIATION TRACKING:
Actions planned: 7
In progress: 2
Completed: 0
Overdue: 0
CONTINUOUS MONITORING:
Active alerts: 4
• Real-time duplicate detection: ACTIVE
• Over-limit notification: ACTIVE
• Weekend expense alert: ACTIVE
• Related-party screening: PENDING (go-live Feb 15)
Monthly scan schedule: 1st of each month (automated)
Last scan: 2025-01-01 → 12 near-duplicates flagged (auto-resolved)
TREND ANALYSIS (Quarterly):
┌──────────────┬──────────┬──────────┬──────────┬──────────┐
│ Metric │ Q4 2023 │ Q1 2024 │ Q2 2024 │ Q4 2024 │
├──────────────┼──────────┼──────────┼──────────┼──────────┤
│ Compliance │ 92.1% │ 90.8% │ 89.5% │ 89.2% │ ← ⚠ Declining
│ Avg claim $ │ $847 │ $892 │ $915 │ $923 │ ← Rising
│ Duplicates │ 18 │ 22 │ 31 │ 37 │ ← ⚠ Increasing
│ Over-limit │ 98 │ 112 │ 134 │ 156 │ ← ⚠ Increasing
│ Fraud flags │ 1 │ 0 │ 2 │ 3 │ ← ⚠ Emerging
└──────────────┴──────────┴──────────┴──────────┴──────────┘
Trend assessment: COMPLIANCE DECLINING — requires management attention
Recommended actions: policy refresher training; system enforcement;
enhanced monitoring