Tag Archives: data mining

Fraud Prevention Oriented Data Mining

One of the most useful components of our Chapter’s recently completed two-day seminar on Cyber Fraud & Data Breaches was our speaker, Cary Moore’s, observations on the fraud fighting potential of management’s creative use of data mining. For CFEs and forensic accountants, the benefits of data mining go much deeper than as just a tool to help our clients combat traditional fraud, waste and abuse. In its simplest form, data mining provides automated, continuous feedback to ensure that systems and anti-fraud related internal controls operate as intended and that transactions are processed in accordance with policies, laws and regulations. It can also provide our client managements with timely information that can permit a shift from traditional retrospective/detective activities to the proactive/preventive activities so important to today’s concept of what effective fraud prevention should be. Data mining can put the organization out front of potential fraud vulnerability problems, giving it an opportunity to act to avoid or mitigate the impact of negative events or financial irregularities.

Data mining tests can produce “red flags” that help identify the root cause of problems and allow actionable enhancements to systems, processes and internal controls that address systemic weaknesses. Applied appropriately, data mining tools enable organizations to realize important benefits, such as cost optimization, adoption of less costly business models, improved program, contract and payment management, and process hardening for fraud prevention.

In its most complex, modern form, data mining can be used to:

–Inform decision-making
–Provide predictive intelligence and trend analysis
–Support mission performance
–Improve governance capabilities, especially dynamic risk assessment
–Enhance oversight and transparency by targeting areas of highest value or fraud risk for increased scrutiny
–Reduce costs especially for areas that represent lower risk of irregularities
–Improve operating performance

Cary emphasized that leading, successful organizational implementers have tended to take a measured approach initially when embarking on a fraud prevention-oriented data mining initiative, starting small and focusing on particular “pain points” or areas of opportunity to tackle first, such as whether only eligible recipients are receiving program funds or targeting business processes that have previously experienced actual frauds. Through this approach, organizations can deliver quick wins to demonstrate an early return on investment and then build upon that success as they move to more sophisticated data mining applications.

So, according to ACFE guidance, what are the ingredients of a successful data mining program oriented toward fraud prevention? There are several steps, which should be helpful to any organization in setting up such an effort with fraud, waste, abuse identification/prevention in mind:

–Avoid problems by adopting commonly used data mining approaches and related tools.

This is essentially a cultural transformation for any organization that has either not understood the value these tools can bring or has viewed their implementation as someone else’s responsibility. Given the cyber fraud and breach related challenges faced by all types of organizations today, it should be easier for fraud examiners and forensic accountants to convince management of the need to use these tools to prevent problems and to improve the ability to focus on cost-effective means of better controlling fraud -related vulnerabilities.

–Understand the potential that data mining provides to the organization to support day to day management of fraud risk and strategic fraud prevention.

Understanding, both the value of data mining and how to use the results, is at the heart of effectively leveraging these tools. The CEO and corporate counsel can play an important educational and support role for a program that must ultimately be owned by line managers who have responsibility for their own programs and operations.

–Adopt a version of an enterprise risk management program (ERM) that includes a consideration of fraud risk.

An organization must thoroughly understand its risks and establish a risk appetite across the enterprise. In this way, it can focus on those area of highest value to the organization. An organization should take stock of its risks and ask itself fundamental questions, such as:

-What do we lose sleep over?
-What do we not want to hear about us on the evening news or read about in the print media or on a blog?
-What do we want to make sure happens and happens well?

Data mining can be an integral part of an overall program for enterprise risk management. Both are premised on establishing a risk appetite and incorporating a governance and reporting framework. This framework in turn helps ensure that day-to-day decisions are made in line with the risk appetite, and are supported by data needed to monitor, manage and alleviate risk to an acceptable level. The monitoring capabilities of data mining are fundamental to managing risk and focusing on issues of importance to the organization. The application of ERM concepts can provide a framework within which to anchor a fraud prevention program supported by effective data mining.

–Determine how your client is going to use the data mined information in managing the enterprise and safeguarding enterprise assets from fraud, waste and abuse.

Once an organization is on top of the data, using it effectively becomes paramount and should be considered as the information requirements are being developed. As Cary pointed out, getting the right data has been cited as being the top challenge by 20 percent of ACFE surveyed respondents, whereas 40 percent said the top challenge was the “lack of understanding of how to use analytics”. Developing a shared understanding so that everyone is on the same page is critical to success.

–Keep building and enhancing the application of data mining tools.

As indicated above, a tried and true approach is to begin with the lower hanging fruit, something that will get your client started and will provide an opportunity to learn on a smaller scale. The experience gained will help enable the expansion and the enhancement of data mining tools. While this may be done gradually, it should be a priority and not viewed as the “management reform initiative of the day. There should be a clear game plan for building data mining capabilities into the fiber of management’s fraud and breach prevention effort.

–Use data mining as a tool for accountability and compliance with the fraud prevention program.

It is important to hold managers accountable for not only helping institute robust data mining programs, but for the results of these programs. Has the client developed performance measures that clearly demonstrate the results of using these tools? Do they reward those managers who are in the forefront in implementing these tools? Do they make it clear to those who don’t that their resistance or hesitation are not acceptable?

–View this as a continuous process and not a “one and done” exercise.

Risks change over time. Fraudsters are always adjusting their targets and moving to exploit new and emerging weaknesses. They follow the money. Technology will continue to evolve, and it will both introduce new risks but also new opportunities and tools for management. This client management effort to protect against dangers and rectify errors is one that never ends, but also one that can pay benefits in preventing or managing cyber-attacks and breaches that far outweigh the costs if effectively and efficiently implemented.

In conclusion, the stark realities of today’s cyber related challenges at all levels of business, private and public, and the need to address ever rising service delivery expectations have raised the stakes for managing the cost of doing business and conducting the on-going war against fraud, waste and abuse. Today’s client-managers should want to be on top of problems before they become significant, and the strategic use of data mining tools can help them manage and protect their enterprises whilst saving money…a win/win opportunity for the client and for the CFE.

On Auditors, Lawyers & Data

corp-counselWhen it comes to gaining access to sensitive, internal digital data during a forensic examination, the corporate council can be the fraud examiner’s best ally.  It, therefore, behooves us to fully understand the unifying role the client counsel holds in overseeing the entire review process.  As our guest blogger, Michael Hart, and other experienced practitioners have pointed out, data analysis becomes most effective when it’s integrated into the wider forensic accounting project.  If the end results are to cohere with findings from other sources, forensic data analysis should not be performed as a separate investigation, walled off from the other review efforts undertaken to benefit the client. Today, it’s a truism that data analysis can serve many functions within a forensic accounting project. On some occasions, it’s rightfully the main engine of an engagement. When such is the case, data analysis is used for highlighting potentially unusual items and trends. More often, however, in actual practice, data analysis is a complementary part of a wider forensic accounting investigation, a piece of a puzzle (and never the be all and end all of the investigation), that involves several other parallel methods of information analysis or evidence gathering, including document review, physical inspection, and investigative interviews.

The timing of the data analysis work depends on the extent to which the forensic accounting team needs to work with the results as defined by counsel. Frequently, once the method of a fraud has been established, data analysis is conducted to estimate the amount of damage. If the team knows that several components of an organization were affected by a fraud scheme, that team may be able to compare these results with those derived from analyses of unaffected branches and, after adjusting for other relevant factors, provide management with a broad estimate of the total effect on the financial statements. When such an approach is used, the comparison should be performed after the investigation has determined the characteristics of the fraud scheme. However, in most cases, as the ACFE tells us, the purpose of data analysis in an investigation is to identify suspicious activity on which the forensic accounting team can act.

Suspicious transactions can be identified in several ways: comparing different sources of evidence, such as accounting records and bank statements, to find discrepancies between them; searching digital records for duplicate transactions; or identifying sudden changes in the size, volume, or nature of transactions, which need to be explained. While data analysis often is a fast and effective way of highlighting potential areas of fraud, it will never capture every detail that an experienced fraud examiner can glean from reviewing an original document. If data analysis is performed to identify suspicious activity, it typically is performed before any manual review is carried out. This helps ensure that investigative resources are targeting suspicious areas and are concentrating on confirming fraudulent activity rather than concentrating on a search for such activity within a sea of legitimate transactions.

The first person to be contacted when there is a suspected fraud is typically in-house counsel. Depending on the apparent severity of the matter and its apparent location in the company, other internal resources to be alerted at an early stage, in addition to the board (typically through its audit committee), may include corporate security, internal audit, risk management, the controller’s office, and the public relations and investor relations groups. Investigations usually begin with extensive conversation about who should be involved, and the responsible executives may naturally wish to involve some or all the functions just mentioned.  Depending on the circumstances, the group of internal auditors (if there is one) can in fact be a tremendous asset to an independent forensic investigative team. As participants in the larger team, internal auditors’ knowledge of the company may improve both the efficiency with which evidence is gathered and the forensic team’s effectiveness in lining up interviews and analyzing findings. The ACFE advices client executives and in-house counsel to engage an external team but to consider making available to that team the company’s internal auditors, selected information systems staff and other internal resources for any investigation of substantial size.

The key to the success of all this from the forensic accountant’s point of view, especially in gaining access to critical digital data, can be the corporate counsel.  On one hand, the forensic accounting investigator may find that the attorney gives the forensic accounting investigator free rein to devise and execute a strategic investigative plan, subject to the attorney’s approval. That scenario is particularly likely in cases of asset misappropriation. On the other hand, some attorneys insist on being involved in all phases of the investigation. It’s the attorney’s call. When engaged by counsel, forensic accounting investigators take direction from counsel. You should advise per your best judgment, but in the end, you work at counsel’s direction.

When working with attorneys on projects involving sensitive digital data, forensic accounting investigators should specifically understand:

  • Their expected role and responsibilities vis-à-vis other team members;
  • Critical managers and players within the information systems shop and their various roles;
  • What other professionals are involved (current or contemplated);
  • The extent and source of any external scrutiny (SEC, IRS, DOJ, etc.);
  • Any legal considerations (extent of privilege, expectation that the company intends to waive privilege, expectation of criminal charges, and so on);
  • Anticipated timing issues, if any;
  • Expected form, timing, and audience of interim or final deliverables;
  • Specifics of the matters under investigation, as currently understood by counsel;
  • Any limitations on departments or personnel that can be involved, interviewed, or utilized in the investigation process.

Independent counsel, with the help of forensic accounting investigators, often takes the lead in setting up, organizing, and managing the entire investigative team. This process may include the selection and retention of other parties who make up the team. Independent counsel’s responsibilities typically encompass the following:

  • Preparing, maintaining, and disseminating a working-group list (very helpful in sorting out which law firms or experts represent whom);
  • Establishing the timetable in conjunction with the board of directors or management, disseminating the timetable to the investigating team, and tracking progress against it;
  • Compiling, submitting, and tracking the various document and personnel access requests that the investigating team members will generate;
  • Organizing client or team meetings and agendas;
  • Preparing the final report with or for the board or its special committee, or doing so in conjunction with other teams from which reports are forthcoming;
  • Establishing and maintaining communication channels with the board of directors and other interested parties, generally including internal general counsel, company management, regulatory personnel, law enforcement or tax authority personnel, and various other attorneys involved.

As fraud examiners, we’re frequently conversant in areas related to financial accounting and reporting such as valuation, tax, and the financial aspects of human resource management but conversant doesn’t necessarily indicate a sufficient level of knowledge to fully guide a complex organizational investigation.  What we can do, however, is to work closely with the corporate counsel to assist him or her in the building of a team on the back of which even the most complex examination can be brought to a successful conclusion.

Mining the General Ledger

miningI was chatting via Skype over this last week-end with a former officer of our Chapter who left the Richmond area many years ago to found his own highly successful forensic accounting practice on the west coast.  During our conversation, he remarked that he never fails to intensively indoctrinate trainees new to his organization in an understanding of the primary importance of the general ledger in any investigation of financial fraud.  With a good sense of those areas of the financial statements most vulnerable to fraud, and with whatever clues the investigative team has gleaned from an initial set of interviews focusing on those accounting entries initially arousing suspicion, he tells his trainees that they’re ready to turn their attention to a place with the potential to provide a cornucopia of useful information. That place is the client firm’s own accounting system general ledger.

My old colleague pointed out that for a fraud examiner or forensic accountant on the search for fraud, there are several great things about the general ledger. One is that virtually all sophisticated financial reporting systems have one. Another is that, as the primary accounting tool of the company, it reflects every transaction the company has entered.

He went on to say that unless the fraud has been perpetrated simply through last-minute topside adjustments, it’s captured in the general ledger somewhere. What’s vital is knowing how, and where, to look. The important thing to keep in mind is the way the ACFE tells us that financial fraud starts and grows. That guidance says that ledger entries entered at particular points of time — say, the final days leading up to the end of a quarter — are more likely to reflect falsified information than entries made at earlier points. Beyond that, a fraudulent general ledger entry in the closing days of a quarter may reflect unusual characteristics. For example, the amounts involved say, having been determined, as they were, by the need to cross a certain numerical threshold rather than by a legitimate business transaction may by their very nature look a bit strange.  Perhaps they’re larger than might be expected or rounded off. It also may be that unusual corporate personnel were involved—executives who would not normally be involved in general ledger entries. Or, if the manipulating executives are not thinking far enough ahead, the documentation behind the journal entries themselves may not be complete or free from suspicion. For example, a non-routine, unusually large ledger entry with rounded numbers that was atypically made at the direction of a senior executive two days before the end of a quarter should arouse some suspicion.

Indeed, once a suspicious general ledger entry has been identified, determining its legitimacy can be fairly straightforward. Sometimes it might involve simply a conversation with the employee who physically made the entry.  My colleague went on to point out that, in his experience, senior executives seeking to perpetrate financial fraud often suffer from a significant handicap: they don’t know how to make entries to the accounting system. To see that a fraudulent entry is made, they have to ask some employee sitting at a computer screen somewhere to do it for them, someone who, if properly trained, may want to fully understand the support for a non-routine transaction coming from an unusual source. Of course, if the employee’s boss simply orders him or her to make the entry, resistance may be awkward. But, if suspicions are aroused, the direction to enter the entry may stick in the employee’s memory, giving the employee the ability to later describe in convincing detail exactly how the ledger entry came to be made. Or, concerned about the implications and the appearance of his own complicity, the employee may include with the journal entry an explanation that captures his skepticism. The senior executive directing the entry may be oblivious to all this. S/he thinks she has successfully adjusted the general ledger to create the needed earnings. Little does she know that within the ledger entry the data-entering employee has embedded incriminating evidence for the forensic accountants to find.

The general ledger may reflect as well large transactions that simply by their nature are suspicious. The investigators may want to ask the executive responsible about such a transaction’s business purpose, the underlying terms, the timing, and the nature of the negotiations. Transaction documentation might be compared to the general ledger’s entry to make sure that nothing was left out or changed. If feasible, the forensic accountants may even want to reach out to the entry’s counter-party to explore whether there are any unrecorded terms in side letters or otherwise undisclosed aspects of the transaction.

As we all know, an investigation will not ordinarily stop with clues gleaned from the general ledger. For example, frequently a useful step is to assess the extent to which a company has accounted for significant or suspicious transactions in accordance with their underlying terms. Such scrutiny may include a search for undisclosed terms, such as those that may be included in side letters or pursuant to oral agreements. In searching for such things, the investigators will seek to cast a wide net and may try to coax helpful information from knowledgeable company personnel outside the accounting function. As our former Central Virginia Chapter officer put it, “I like to talk to the guys on the loading dock. They’ll tell you anything.”

As I’m sure most readers of this blog are aware, while such forensic accounting techniques, and there are many others, can be undertaken independently of what employee interviews turn up, usually the two will go hand in hand. For example, an interview of one employee might yield suspicions about a particular journal entry, which is then dug out of the accounting system and itself investigated. Or an automated search of the general ledger may yield evidence of a suspicious transaction, resulting in additional interviews of employees. Before long, the investigative trail may look like a roadmap of Washington DC. Clues are discovered, cross-checked against other information, and explored further. Employees are examined on entries and, as additional information surfaces, examined again. As the investigation progresses, shapes start to appear in the fog. Patterns emerge. And those executives not being completely candid look increasingly suspicious.

So, with thanks to our good friend for sharing, in summary, if there is predication of a fraud, what sorts of things might a thorough forensic examination of the general ledger reveal?

–The journal entries that the company recorded to implement the fraud;

–The dates on which the company recorded fraudulent transactions;

–The sources for the amounts recorded (e.g., an automated sub-accounting system, such as purchasing or treasury, versus a manually prepared journal entry);

–The company employee responsible for entering the journal entries into the accounting system;

–Adjusting journal entries that may have been recorded.

E-discovery Challenges for Fraud Examiners

black-signI returned from the beach last Friday to find a question in my in-box from one of our Chapter members relating to several E-discovery issues (electronically stored information) she’s currently encountering on one of her cases.  The rules involving E-discovery are laid out in the US Federal Rules of Civil Procedure and affect not only parties to federal lawsuits but also any related business (like the client of our member).  Many fraud professionals who don’t routinely work with matters involving the discovery of electronically stored information are surprised to learn just how complex the process can be; unfortunately, like our member’s client company, they sometimes have to learn the hard way, during the heat of litigation.

All parties to a Federal lawsuit have a legal responsibility, under the Rules of Civil Procedure and numerous State mirror statutes, to preserve relevant electronic information.  What is often not understood by folks like our member’s client is that, when a party finds itself under the duty to preserve information because of pending or reasonably anticipated litigation, adjustment in the normal pattern of its information systems processing is very often required and can be hard to implement.  For example, under the impact of litigation, our member’s client needs to stop deleting certain e-mails and refrain from recycling system backup media as it’s routinely done for years.  The series of steps her client needs to take to stop the alteration or destruction of information relevant to the case is known as a ‘litigation hold’.

What our clients need to clearly understand regarding E-discovery is that the process is a serious matter and that, accordingly, courts can impose significant sanctions if a party to litigation does not take proper steps to preserve electronic information.  The good news is, however, that if a party is found to have performed due diligence and implemented reasonable procedures to preserve relevant electronic data, the Rules provide that sanctions will not be imposed due to the loss of information during the ‘normal routine’ and ‘good faith’ operations of automated systems; this protection provided by due diligence is called the ‘safe harbor’.

To ensure that our clients enjoy the protections afforded them through confirmation of due diligence, my recommendation is that both parties to the litigation meet to attempt to identify issues, avoid misunderstandings, expedite proper resolution of problems and reduce the overall litigation costs (which can quickly get out of hand) associated with E-discovery.  The plaintiff’s and defendant’s lawyers need some sort of venue where they can become thoroughly familiar with the information systems and electronic information of their own client and those of the opposing party.  Fraud examiners can be of invaluable assistance to both parties in achieving this objective since they typically know most about the details of the investigation which is often the occasion of the litigation.  Both sides need to obtain information about the electronic records in play prior to the initial discovery planning conference, perhaps at a special session, to determine:

–the information systems infrastructure of both parties to the litigation;
–location and sources of relevant digitized information;
–scope of the electronic information requirements of both litigants;
–time period during which the required information must be available;
–the accessibility of the information;
–information retrieval formats;
–costs and effort to retrieve the required information;
–preservation and chain of custody of discover-able information;
–assertions of privilege and protection of materials related to the litigation.

Technical difficulties and verbal misunderstandings can arise at any point in the E-discovery process.  It often happens that one of the litigants may need to provide technical support so it that digital information can even be used by the opposing party … this can mean that metadata (details about the electronic data) must be provided for the data to be understandable.  This makes it a standard good practice for all parties to test a sample of the information requested to determine how usable it is as well as to determine how burdensome it is to the requested party to retrieve and provide.

It just makes good sense to get the client’s information management professionals involved as soon as possible in the E-discovery process.  A business will have to disclose all digitally stored information that it plans to use to support its claims or defenses.  When faced with specific requests from the opposing side, your client will need to determine whether it can retrieve information in its original format that is usable by the opposition; a question that often only skilled information professionals can definitively answer.

Since fraud examination clients face E-discovery obligations not only for active Federal litigation but also for foreseeable litigation, businesses can be affected that merely receive a Federal subpoena seeking digital information.   Our questioner’s client received such a subpoena regarding an on-going fraud investigation and was not ready to effectively respond to it, leaving the company potentially vulnerable to fines and adverse judgments.

The Fraud Examiner & the Financial Analyst

SandFootprintsOn June 18, 2014, our ACFE Chapter and partners, the Virginia State Police and Health Management Systems (HMS), will be jointly conducting a free afternoon training session on the topic of ‘Advanced Trends in Data Analytics’ at the VSP Training Academy here in Richmond.  Several of us were struck in going over the speaker’s presentation by how useful something as basic as fundamental financial analysis can be to fraud examiners and other assurance professionals in setting up and implementing the sorts of advanced analytical testing that companies like HMS are pioneering to such good effect.

I can remember graduate finance classes at the University of Richmond so many years ago where we were told what an important tool financial analysis could be at every level of management, but especially for anyone tasked with performing operational and compliance reviews.  After reviewing the foundational steps needed to effectively set up and use today’s advanced analytical and data mining techniques, I think fraud examiners in general would be well advised to develop or update even their basic financial analysis skills so as to do a more efficient job as the ‘fraud expert’ on the data mining and analytics team directing what to test and how much to test it to efficiently identify and investigate the various types of financial frauds.

Fraud examiners should plan to actively reach out to financial analysts (FA’s), initially when performing fraud risk assessments, and then when setting up analytics and data mining supported testing for the suspected presence of fraud or to investigate actual fraud. The FA is an expert in the construction and analysis of ratios and comparisons derived from all the entity’s financial data but especially from its financial statements.  If the entity is a public company using some taxonomy of XBRL markup language to prepare and file automated quarterly and annual statements with the SEC, the company’s FA will be an invaluable resource to the fraud examiner in structuring the analytic, financial data tests essential to building her case.

Comparison analysis of financial data can be performed simply or, depending upon the data moving and crunching tools available, with great sophistication.  What are the established financial expectations for the entity under review from one performance period to the next? This is a question that can be answered in almost any degree of detail and the answer, as any auditor knows, can be quite important when seen in the context of the investigation of any on-going fraud or financial irregularity.  The fraud examiner working with the FA can piggy back on the FA’s existing work to examine actual account balances, relevant to an actual fraud or postulated fraud scenario, from current and prior periods, as well as to budgeted or forecasted plans that anticipate actual results for a past or current period.

And don’t look down on humble ratio analysis in the hands of an experienced FA as a tool to guide the setup of advanced analytic procedures.  Even though ratio analysis is by far the most commonly used type of basic financial analysis, it can still provide information on the effectiveness and efficiency of operations and highlight relationships between target accounts in light of industry and economic trends … as such it’s can be very effective for the fraud examiner who wants to demonstrate a client’s due diligence in the application of systems of internal controls associated with best practice.  Because ratio analysis is fundamentally about actual and expected relationships between items of financial data as manifested over time, significant changed in the ratios from period to period are usually caused by the type of apparent or recurring “errors” or “poor performance” that often mask on-going frauds.

By working with an FA who has developed a powerful set of ratios specific to the client, the fraud examiner is forced to understand quickly not only the operations of the examination target organization but also those of its industry; we all know how useful it is to be able to demonstrate to a jury that financial shenanigans we’ve uncovered in connection with investigating a suspected fraud are just not typical of enterprises in the target’s industry … ratio analysis can be of great help in forcefully demonstrating that point to a judge and jury.

The Achilles heel of analytics, data mining, comparison and ratio analysis as tools for fraud examination is that these three techniques primarily look at what was previously done or experienced at the company and, by straight-forward extension, at what was anticipated.  This is where the FA can come in to assist the fraud examiner using financial information to build her case to avoid the many pitfalls and minefields inherent in these types of data.  The FA might say, for example,  that anticipated performance does not necessarily indicate what constitutes good performance or even what should necessarily be expected from effective and efficient business operations; for those reasons she will warn that our fraud examiner might want to expand her comparison and ratio analysis based analytic tests to include a general look at other players in the same industry … in other words, applying ‘best of class’ comparisons across comparable companies before drawing conclusions based only on the performance, or lack thereof, of a single company.  This is only a single example of how useful FA’s can be in sharpening the investigation of financial data, especially if they are experienced with the client.

In every case, whether employing simple ratios or comparison analysis or building complex analytical tests, fraud examiners must use their own professional judgment but that doesn’t mean, as in the case of the FA, we can’t all use some help from time to time from our professional friends!

Continuous Auditing versus Continuous Monitoring in Fraud Prevention Programs

wreath-4The efficacy of modern fraud prevention programs has been vastly improved by advances in data mining, analytics and the near ubiquitous cloud based storage and availability of client transactional data; the advances, however, have been accompanied by some confusion on the part of fraud prevention professionals in the incorporation of  these new tools into an effective, risk based, prevention program.  Three common sources of confusion usually arise during the implementation process of analytically supported fraud prevention schemes; first, is the confusion  between the continuous monitoring of transactions (made possible by data mining and analytics coupled with enterprise risk management approaches for the identification of high risk business processes) and continuous auditing for fraud.  Second is the need to understand the role of the continuous auditing for fraud in high risk business processes as a meta control (i.e., as a control of controls) and third is the concern of separation of duties (i.e., who will do what when actual instances of suspected fraud are identified by the process).

The continuous, analytically based,  monitoring of high risk business processes found to be especially vulnerable to pre-identified,  attempted fraud scenarios is a dynamic process (i.e., the fraud examiner/auditor can turn analytical procedures on and off by re-configuring tests based on what fraud scenarios and levels of accompanying risk s/he feels  are presently most active as threats.  By continuously monitoring particular, configurable high risk items, continuous testing for the presence of likely fraud scenarios constitutes a wholly new control level, acting as a meta control.  For example, a bank’s analytically based loan transaction system can issue an alarm regarding the presence of a suspected component of a fraud scenario and issue an alarm, under pre-specified  circumstances, to the bank manager’s supervisor as loans to a given customer exceed pre-authorized levels.  This fraud prevention program measure thus increases the number of configurable controls (e.g., choosing to issue an alarm and when) by going past simple continuous monitoring all way to the level of continuous auditing/testing and subsequent management alert.

Implementing this type of approach to fraud prevention generally means taking the following general types of steps:

—identifying the client’s high risk business processes for scenario testing.  The choice of high risk business processes should be integrated into the annual fraud prevention plan and the enterprise risk management (ERM) annual review.  This exercise should be integrated with other compliance plans (for example, with the internal audit annual plan, if there is one).

—identify rules that will guide the analytically based fraud scenario testing activity; these rules need to be programmed, repeated frequently and reconfigured when needed.  As an example, a financial institution might have defined a critical component of a given fraud scenario;  in response the bank monitors all checking accounts nightly by extracting files that meet the criteria of having a debt balance that is 20 percent larger than the loan threshold for a certain type of customer.

—determine the frequency of testing for the critical fraud scenarios and related business processes; this is important because the chosen frequency of testing has to depend on the natural rhythm of the subject business process including the timing of computer and business activities and the availability to the client of fraud examiners and auditors with experience of the underlying fraud scenario.

—cost benefit analysis needs to be performed; only the most high risk business processes vulnerable to a given frequently occurring  fraud scenario should be continuously tested; once the threat is determined to have subsided (perhaps by the application or tightening of  prevention controls) shut the continuous testing down as no longer cost effective.

—mechanisms must be in place to communicate positive testing results to business owners and the communication must be independent, objective and consistent; all the parties who will address elements of the suspected fraud and whose role requires taking some pre-defined action under the identified fraud scenario must be informed.

The evolution of fraud prevention programs to incorporate analytically based fraud evaluation and examination testing on a continuous and near continuous basis  is a giant step for the fraud examination and auditing professions. This evolution will take time, substantial attention from senior management and additional costs and resources as continuous fraud auditing activities are implemented and extended; these efforts will have a lasting effect on the future of both professions.

Electronic Fingerprints

DiceAndChipsMedia coverage of the details of the SEC’s current investigation of corporate boards for insider trading  brings to mind that in all such cases today, the most telling evidence investigators will have available to them will be a wide variety of “electronic fingerprints,” in the form of e-mails, instant messages, voice mails and transaction records to name but a few.  What legal and financial implications exist for corporations as a result of the behavior of their executives, employees and contractors that is documented in this way?  What prudent steps can fraud examiners and other compliance professionals help their client’s take to minimize this ever growing exposure?

In this electronic goldfish bowl environment, we need to advise our client managements that proactive steps have to be taken to minimize the possibility that an employee will do something to put the company at risk, whether or not the risk has a direct business consequence, such as a major regulatory investigation, a major financial loss or the possibility of a lawsuit.  Second, and related, organizations must make sure that the effect of any lawsuit is minimized in the event that one occurs.

A key factor in managing the risk from employee misbehavior, and underlined by the SEC’s board member investigation, is to have in place an effective financial and general compliance system to monitor the behavior of employees to ensure that their behavior complies with company policy.  Eying this opportunity, technology vendors have flooded the market with software in recent years to help firms store, manage and retrieve the necessary files to identify potential and actual misbehavior.  While many of these solutions allow the buyer to check the compliance box on the compliance score sheet, the stored data is, in reality, a treasure trove for regulators and adversary attorneys building a case while it does little to actually identify and control employee misbehavior.

To truly mitigate this type of risk, it’s necessary to be able to analyze patterns in communication and organizational behavior in ways that go beyond basic keyword filtering and associated counting and statistics.  Advanced analysis and understanding of behavior patterns form the basis for identifying the type of anomalous behavior characteristic of insider trading and other fraud scenarios that merits further investigation.

These same technologies can be used for retrospective investigation (internal or external).  They can also be applied to records retention, where a smarter approach can better identify materials that can be legally and safely purged.  As a result of storing fewer records, storage costs are decreased and, in the event of a lawsuit or regulatory investigation, there are fewer items for the opposing attorneys or regulators to review, resulting in lower costs and decreased risk of untoward information coming to light.

Remember that your client’s existing data constitutes a baseline for evaluating “normal” corporate behavior.  As such it addresses one of the most challenging issues for enterprise monitoring: how to keep an eye on a vast volume of data.  Knowing what is normal makes it possible to identify and focus on behaviors, like that of the board members under investigation, that are outside the norm.  Analysis of such data in defending against an investigation or lawsuit is also useful since the client can prove that the alleged offenses perpetrated by a limited group of employees are not typical of its usual practice or ethical culture.

Despite the current slow economic recovery, now is not the time to place investment in employee compliance monitoring on the back burner.  Such a response can put an organization in an even more vulnerable position.

Setting Up the Client Data Mine to Screen Out Fraud, Waste and Abuse

The process of developing a data warehouse of client information is a critical first step in the data mapping and data mining effort that has proved a challenge for fraud examiners and auditors setting out to utilize these tools for the first time.  Consider what we’d need if we were thinking about taking a vacation involving a long road trip.  First, we’d need some kind of vehicle to drive; we can’t really determine what kind of vehicle we need until we know how many people will be going with us (entities about which we’ll be storing information).   Then we’re going to need a roadmap (the data) to guide our trip.  We also need to be prepared for unforeseen events (data anomalies) along the way that don’t appear on the map.  Then, once we arrive at each of the various milestones along the way, we take in information from that stage of the journey and re-evaluate our route…it’s an on-going process.

So we can think of the implementation of a data mapping and data mining effort for fraud examination as an on-going process built on a foundation of operational or managerial auditing procedures; the process involves defining the data elements to be gathered, the collection of the data, the design of the tables and decision trees in which the data will be stored and processed by queries, and the on-going surveillance of the data.  The pre-condition here is that the data flows continuously as in health care, billing or quarterly updated financial applications.

Once a warehouse had been appropriately mapped and data mining activated, the ongoing activity is surveillance.  This is where auditor judgment proves critical.  Finding patterns in the on-going flow of data indicative of the presence of scenarios linked to fraud, waste and abuse is a skill which can be developed only over time and through experience with what “normal” data for the entity under surveillance should look like… how, in the company environment, should normal data look and what makes this data look “abnormal”?

This analysis is not a one-time event but an ongoing, constantly evolving tool for efficiently obtaining the intelligence to identify fraud and then alter controls to prevent such transactions from being processed in the future.  We’re not looking to recoup the losses from identified past fraud scenarios (pay and chase) so much as we’re looking to adjust our systems and controls through edits to prevent the data associated with such scenarios from even being processed in the future.

Simply put, we need to identify the anomalous output and study the hidden patterns associated with each anomaly; document the sequence of events leading to the offense; identify potential perpetrators; document the loss; and finally, adjust system edits so that the  processing pattern associated with the fraud does not recur.


What is a Fraud, Waste and Abuse Detection System (FADS)?

BusinessMeet2Fraud and abuse detection technology (FADS) processes (or data mines) large amounts of information stored in data warehouses to identify patterns, associations, clusters, outliers and other red flag phenomena that indicate the presence of fraud and abuse.  A key characteristic of this technology is the use of “learning experiences” where findings from previous analyses are integrated into the next round of tests to search for potentially fraudulent activities.

FADS technology detects these activities using three principal methodologies: 1) a vendor centric methodology to identify vendors consistently submitting suspicious invoices (as in a system targeting vendor billing), an invoice centric methodology to identify patterns within invoices indicative of fraud and abuse (without linking the invoices to specific vendors) and 3) a predictive modeling algorithm to identify previously undetected fraudulent activities.

The predictive modeling algorithm scores newly received  invoices based on their deviance from vendor peer group norms. Additional functions performed by FADS systems include the ability to identify emerging criminal schemes using generalizations from previous analyses and tests, the generation of ad hoc reports to increase accounts receivable program oversight, and the ability to add software programming updates as needed to improve detection capabilities.

FAD systems are successfully applied to virtually every business process with a large volume of activity and  which is supported by large scale storage of digitized historical data.

One type of FAD is a Medicaid or Medicare Fraud and Abuse Detection System (MFAD). Some examples of the types of medical provider insurance claims testing such a system might continuously perform are:

–creation of  a statistical model of each claim type (the normal claim) to compare with all medical provider claims processed to identify “abnormal” claims;

–run each claim through a comprehensive series of tests and statistical analysis configured for each claim type;

–identify improper payments;

–incorporate findings and experience on an on-going basis to continually improve results;

–identify medical providers and patients engaged in fraud, waste and abuse.