Tag Archives: data analysis

Finding the Words

I had lunch with a long-time colleague the other day and the topic of conversation having turned to our May training event next week, he commented that when conducting a fraud examination, he had always found it helpful to come up with a list of words specifically associated with the type of fraud scenario on which he was working.  He found the exercise useful when scanning through the piles of textual material he frequently had to plow through during complex examinations.

Data analysis in the traditional sense involves running rule-based queries on structured data, such as that contained in transactional databases or financial accounting systems. This type of analysis can yield valuable insight into potential frauds. But, a more complete analysis requires that fraud examiners (like my friend) also consider unstructured textual data. Data are either structured or unstructured. Structured data is the type of data found in a database, consisting of recognizable and predictable structures. Examples of structured data include sales records, payment or expense details, and financial reports. Unstructured data, by contrast, is data that would not be found in a traditional spreadsheet or database. It is typically text based.

Our client’s employees are sending and receiving more email messages each year, retaining ever more electronic source documents, and using more social media tools. Today, we can anticipate unstructured data to come from numerous sources, including:

• Social media posts
• Instant messages
• Videos
• Voice files
• User documents
• Mobile phone software applications
• News feeds
• Sales and marketing material
• Presentations

Textual analytics is a method of using software to extract usable information from unstructured text data. Through the application of linguistic technologies and statistical techniques, including weighted fraud indicators (e.g., my friend’s fraud keywords) and scoring algorithms, textual analytics software can categorize data to reveal patterns, sentiments, and relationships indicative of fraud. For example, an analysis of email communications might help a fraud examiner gauge the pressures/incentives, opportunities, and rationalizations to commit fraud that exist in a client organization.

According to my colleague, as a prelude to textual analytics (depending on the type of fraud risk present in a fraud examiner’s investigation), the examiner  will frequently profit by coming up with a list of fraud keywords that are likely to point to suspicious activity. This list will depend on the industry of the client, suspected fraud schemes, and the data set the fraud examiner has available. In other words, if s/he is running a search through journal entry detail, s/he will likely search for different fraud keywords than if s/he were running a search of emails. It might be helpful to look at the ACFE’s fraud triangle when coming up with a keyword list. The factors identified in the triangle are helpful when coming up with a fraud keyword list. Consider how someone in the entity under investigation might have the opportunity to commit fraud, be under pressure to commit fraud, or be able to rationalize the commission of fraud.

Many people commit fraud because of something that has happened in their life that motivates them to steal. Maybe they find themselves in debt, or perhaps they must meet a certain goal to qualify for a performance-based bonus. Keywords that might indicate pressure include deadline, quota, trouble, short, problem, and concern. Think of words that would indicate that someone has the opportunity or ability to commit fraud. Examples include override, write-off, recognize revenue, adjust, discount, and reserve/provision.

Since most fraudsters do not have a criminal background, justifying their actions is a key part of committing fraud. Some keywords that might indicate a fraudster is rationalizing his actions include reasonable, deserve, and temporary.

So, even though the concepts embodied in the fraud triangle are a good place to start when developing a keyword list, it’s also important to consider the nature of the client entity’s industry and the types of payments it makes or is suspected of making. Think about the fraud scenarios that are likely to have occurred. Does the entity do a significant amount of work overseas or have many contractors? If so, there might be an elevated risk of bribery. Focus on the payment text descriptions in journal entries or in work delated documentation, since no one calls it “bribe expense.” Some examples of word combinations in payment descriptions that might merit special attention include:

• Goodwill payment
• Consulting fee
• Processing fee
• Incentive payment
• Donation
• Special commission
• One-time payment
• Special payment
• Friend fee
• Volume contract incentive

Any payment descriptions bearing these, or similar terms warrant extra scrutiny to check for reasonableness. Also, examiners should always be wary of large cash disbursements that have a blank journal payment description.

Beyond key word lists, the ACFE tells us that another way to discover fraud clues hidden in text is to consider the emotional tone of employee correspondence. In emails and instant messages, for instance, a fraud examiner should identify derogatory, surprised, secretive, or worried communications. In one example, former Enron CEO Ken Lay’s emails were analyzed, revealing that as the company came closer to filing bankruptcy, his email correspondence grew increasingly derogatory, confused, and angry. This type of analysis provided powerful evidence that he knew something was wrong at the company.

While advanced textual analytics can be extremely revealing and can provide clues for potential frauds that might otherwise go unnoticed, the successful application of such analytics requires the use of sophisticated software, as well as a thorough understanding of the legal environment of employee rights and workplace searches. Consequently, fraud examiners who are considering adding textual analytics to their fraud detection arsenal should consult with technological and legal experts before undertaking such techniques.

Even with sophisticated data analysis techniques, some data are so vast or complex that they remain difficult to analyze using traditional means. Visually representing data via graphs,  link diagrams, time-series charts, and other illustrative representations can bring clarity to a fraud examination. The utility of visual representations is enhanced as data grow in volume and complexity. Visual analytics build on humans’ natural ability to absorb a greater volume of information in visual rather than numeric form and to perceive certain patterns, shapes, and shades more easily than others.

Link analysis software is used by fraud examiners to create visual representations (e.g., charts with lines showing connections) of data from multiple data sources to track the movement of money; demonstrate complex networks; and discover communications, patterns, trends, and relationships. Link analysis is very effective for identifying indirect relationships and relationships with several degrees of separation. For this reason, link analysis is particularly useful when conducting a money laundering investigation because it can track the placement, layering, and integration of money as it moves around unexpected sources. It could also be used to detect a fictitious vendor (shell company) scheme. For instance, the investigator could map visual connections between a variety of entities that share an address and bank account number to reveal a fictitious vendor created to embezzle funds from a company.  The following are some other examples of the analyses and actions fraud examiners can perform using link analysis software:

• Associate communications, such as email, instant messages, and internal phone records, with events and individuals to reveal connections.
• Uncover indirect relationships, including those that are connected through several intermediaries.
• Show connections between entities that share an address, bank account number, government identification number (e.g., Social Security number), or other characteristics.
• Demonstrate complex networks (including social networks).

Imagine a listing of vendors, customers, employees, or financial transactions of a global company. Most of the time, these records will contain a reference to a location, including country, state, city, and possibly specific street address. By visually analyzing the site or frequency of events in different geographical areas, a fraud investigator has yet another variable with which s/he can make inferences.

Finally, timeline analysis software aids fraud examiners in transforming their data into visual timelines. These visual timelines enable fraud examiners to:

• Highlight key times, dates, and facts.
• More readily determine a sequence of events.
• Analyze multiple or concurrent sequences of events.
• Track unaccounted for time.
• Identify inconsistencies or impossibilities in data.

Analytics & Fraud Prevention

During our Chapter’s live training event last year, ‘Investigating on the Internet’, our speaker Liseli Pennings, pointed out that, according to the ACFE’s 2014 Report to the Nations on Occupational Fraud and Abuse, organizations that have proactive, internet oriented, data analytics in place have a 60 percent lower median loss because of fraud, roughly $100,000 lower per incident, than organizations that don’t use such technology. Further, the report went on, use of proactive data analytics cuts the median duration of a fraud in half, from 24 months to 12 months.

This is important news for CFE’s who are daily confronting more sophisticated frauds and criminals who are increasingly cyber based.  It means that integrating more mature forensic data analytics capabilities into a fraud prevention and compliance monitoring program can improve risk assessment, detect potential misconduct earlier, and enhance investigative field work. Moreover, forensic data analytics is a key component of effective fraud risk management as described in The Committee of Sponsoring Organizations of the Treadway Commission’s most recent Fraud Risk Management Guide, issued in 2016, particularly around the areas of fraud risk assessment, prevention, and detection.  It also means that, according to Pennings, fraud prevention and detection is an ideal big data-related organizational initiative. With the growing speed at which they generate data, specifically around their financial reporting and sales business processes, our larger CFE client organizations need ways to prioritize risks and better synthesize information using big data technologies, enhanced visualizations, and statistical approaches to supplement traditional rules-based investigative techniques supported by spreadsheet or database applications.

But with this analytics and fraud prevention integration opportunity comes a caution.  As always, before jumping into any specific technology or advanced analytics technique, it’s crucial to first ask the right risk or control-related questions to ensure the analytics will produce meaningful output for the business objective or risk being addressed. What business processes pose a high fraud risk? High-risk business processes include the sales (order-to-cash) cycle and payment (procure-to-pay) cycle, as well as payroll, accounting reserves, travel and entertainment, and inventory processes. What high-risk accounts within the business process could identify unusual account pairings, such as a debit to depreciation and an offsetting credit to a payable, or accounts with vague or open-ended “catch all” descriptions such as a “miscellaneous,” “administrate,” or blank account names?  Who recorded or authorized the transaction? Posting analysis or approver reports could help detect unauthorized postings or inappropriate segregation of duties by looking at the number of payments by name, minimum or maximum accounts, sum totals, or statistical outliers. When did transactions take place? Analyzing transaction activities over time could identify spikes or dips in activity such as before and after period ends or weekend, holiday, or off-hours activities. Where does the CFE see geographic risks, based on previous events, the economic climate, cyber threats, recent growth, or perceived corruption? Further segmentation can be achieved by business units within regions and by the accounting systems on which the data resides.

The benefits of implementing a forensic data analytics program must be weighed against challenges such as obtaining the right tools or professional expertise, combining data (both internal and external) across multiple systems, and the overall quality of the analytics output. To mitigate these challenges and build a successful program, the CFE should consider that the priority of the initial project matters. Because the first project often is used as a pilot for success, it’s important that the project address meaningful business or audit risks that are tangible and visible to client management. Further, this initial project should be reasonably attainable, with minimal dollar investment and actionable results. It’s best to select a first project that has big demand, has data that resides in easily accessible sources, with a compelling, measurable return on investment. Areas such as insider threat, anti-fraud, anti-corruption, or third-party relationships make for good initial projects.

In the health care insurance industry where I worked for many years, one of the key goals of forensic data analytics is to increase the detection rate of health care provider billing non-compliance, while reducing the risk of false positives. From a capabilities perspective, organizations need to embrace both structured and unstructured data sources that consider the use of data visualization, text mining, and statistical analysis tools. Since the CFE will usually be working as a member of a team, the team should demonstrate the first success story, then leverage and communicate that success model widely throughout the organization. Results should be validated before successes are communicated to the broader organization. For best results and sustainability of the program, the fraud prevention team should be a multidisciplinary one that includes IT, business users, and functional specialists, such as management scientists, who are involved in the design of the analytics associated with the day-to-day operations of the organization and hence related to the objectives of  the fraud prevention program. It helps to communicate across multiple departments to update key stakeholders on the program’s progress under a defined governance regime. The team shouldn’t just report noncompliance; it should seek to improve the business by providing actionable results.

The forensic data analytics functional specialists should not operate in a vacuum; every project needs one or more business champions who coordinate with IT and the business process owners. Keep the analytics simple and intuitive, don’t include too much information in one report so that it isn’t easy to understand. Finally, invest time in automation, not manual refreshes, to make the analytics process sustainable and repeatable. The best trends, patterns, or anomalies often come when multiple months of vendor, customer, or employee data are analyzed over time, not just in the aggregate. Also, keep in mind that enterprise-wide deployment takes time. While quick projects may take four to six weeks, integrating the entire program can easily take more than one or two years. Programs need to be refreshed as new risks and business activities change, and staff need updates to training, collaboration, and modern technologies.

Research findings by the ACFE and others are providing more and more evidence of the benefits of integrating advanced forensic data analytics techniques into fraud prevention and detection programs. By helping increase their client organization’s maturity in this area, CFE’s can assist in delivering a robust fraud prevention program that is highly focused on preventing and detecting fraud risks.

On Auditors, Lawyers & Data

corp-counselWhen it comes to gaining access to sensitive, internal digital data during a forensic examination, the corporate council can be the fraud examiner’s best ally.  It, therefore, behooves us to fully understand the unifying role the client counsel holds in overseeing the entire review process.  As our guest blogger, Michael Hart, and other experienced practitioners have pointed out, data analysis becomes most effective when it’s integrated into the wider forensic accounting project.  If the end results are to cohere with findings from other sources, forensic data analysis should not be performed as a separate investigation, walled off from the other review efforts undertaken to benefit the client. Today, it’s a truism that data analysis can serve many functions within a forensic accounting project. On some occasions, it’s rightfully the main engine of an engagement. When such is the case, data analysis is used for highlighting potentially unusual items and trends. More often, however, in actual practice, data analysis is a complementary part of a wider forensic accounting investigation, a piece of a puzzle (and never the be all and end all of the investigation), that involves several other parallel methods of information analysis or evidence gathering, including document review, physical inspection, and investigative interviews.

The timing of the data analysis work depends on the extent to which the forensic accounting team needs to work with the results as defined by counsel. Frequently, once the method of a fraud has been established, data analysis is conducted to estimate the amount of damage. If the team knows that several components of an organization were affected by a fraud scheme, that team may be able to compare these results with those derived from analyses of unaffected branches and, after adjusting for other relevant factors, provide management with a broad estimate of the total effect on the financial statements. When such an approach is used, the comparison should be performed after the investigation has determined the characteristics of the fraud scheme. However, in most cases, as the ACFE tells us, the purpose of data analysis in an investigation is to identify suspicious activity on which the forensic accounting team can act.

Suspicious transactions can be identified in several ways: comparing different sources of evidence, such as accounting records and bank statements, to find discrepancies between them; searching digital records for duplicate transactions; or identifying sudden changes in the size, volume, or nature of transactions, which need to be explained. While data analysis often is a fast and effective way of highlighting potential areas of fraud, it will never capture every detail that an experienced fraud examiner can glean from reviewing an original document. If data analysis is performed to identify suspicious activity, it typically is performed before any manual review is carried out. This helps ensure that investigative resources are targeting suspicious areas and are concentrating on confirming fraudulent activity rather than concentrating on a search for such activity within a sea of legitimate transactions.

The first person to be contacted when there is a suspected fraud is typically in-house counsel. Depending on the apparent severity of the matter and its apparent location in the company, other internal resources to be alerted at an early stage, in addition to the board (typically through its audit committee), may include corporate security, internal audit, risk management, the controller’s office, and the public relations and investor relations groups. Investigations usually begin with extensive conversation about who should be involved, and the responsible executives may naturally wish to involve some or all the functions just mentioned.  Depending on the circumstances, the group of internal auditors (if there is one) can in fact be a tremendous asset to an independent forensic investigative team. As participants in the larger team, internal auditors’ knowledge of the company may improve both the efficiency with which evidence is gathered and the forensic team’s effectiveness in lining up interviews and analyzing findings. The ACFE advices client executives and in-house counsel to engage an external team but to consider making available to that team the company’s internal auditors, selected information systems staff and other internal resources for any investigation of substantial size.

The key to the success of all this from the forensic accountant’s point of view, especially in gaining access to critical digital data, can be the corporate counsel.  On one hand, the forensic accounting investigator may find that the attorney gives the forensic accounting investigator free rein to devise and execute a strategic investigative plan, subject to the attorney’s approval. That scenario is particularly likely in cases of asset misappropriation. On the other hand, some attorneys insist on being involved in all phases of the investigation. It’s the attorney’s call. When engaged by counsel, forensic accounting investigators take direction from counsel. You should advise per your best judgment, but in the end, you work at counsel’s direction.

When working with attorneys on projects involving sensitive digital data, forensic accounting investigators should specifically understand:

  • Their expected role and responsibilities vis-à-vis other team members;
  • Critical managers and players within the information systems shop and their various roles;
  • What other professionals are involved (current or contemplated);
  • The extent and source of any external scrutiny (SEC, IRS, DOJ, etc.);
  • Any legal considerations (extent of privilege, expectation that the company intends to waive privilege, expectation of criminal charges, and so on);
  • Anticipated timing issues, if any;
  • Expected form, timing, and audience of interim or final deliverables;
  • Specifics of the matters under investigation, as currently understood by counsel;
  • Any limitations on departments or personnel that can be involved, interviewed, or utilized in the investigation process.

Independent counsel, with the help of forensic accounting investigators, often takes the lead in setting up, organizing, and managing the entire investigative team. This process may include the selection and retention of other parties who make up the team. Independent counsel’s responsibilities typically encompass the following:

  • Preparing, maintaining, and disseminating a working-group list (very helpful in sorting out which law firms or experts represent whom);
  • Establishing the timetable in conjunction with the board of directors or management, disseminating the timetable to the investigating team, and tracking progress against it;
  • Compiling, submitting, and tracking the various document and personnel access requests that the investigating team members will generate;
  • Organizing client or team meetings and agendas;
  • Preparing the final report with or for the board or its special committee, or doing so in conjunction with other teams from which reports are forthcoming;
  • Establishing and maintaining communication channels with the board of directors and other interested parties, generally including internal general counsel, company management, regulatory personnel, law enforcement or tax authority personnel, and various other attorneys involved.

As fraud examiners, we’re frequently conversant in areas related to financial accounting and reporting such as valuation, tax, and the financial aspects of human resource management but conversant doesn’t necessarily indicate a sufficient level of knowledge to fully guide a complex organizational investigation.  What we can do, however, is to work closely with the corporate counsel to assist him or her in the building of a team on the back of which even the most complex examination can be brought to a successful conclusion.