taking data analytics to the next level...the first 48 hours: live server log files pulled for early...

®2013 Association of Certified Fraud Examiners, Inc.

Taking Data Analytics

to the Next Level

Upping the Analytic Ante:

A Structured Approach to Unstructured Data


2 of 36

Structured Data Sources

SAP

Oracle

JD Edwards

Great Plains

Quickbooks

Excel or Access

SAS

Web logs

CRM and sales data

Customs & logistics

Access logs

Trade data

Surveys

Research data


3 of 36

Integrating Forensic Analytics into the

Investigation or Anti-Fraud Program

Pre-field work analysis and sample selections:

Mine payables data for potentially improper payments

Mine selected, high-risk GL accounts:

Gifts, charity, donations, promotions, miscellaneous, customs

Mine travel & entertainment

Conflicts of interests between vendor and employee

master


4 of 36

Integrating Forensic Analytics into the

Investigation or Anti-Fraud Program

During field work

Use of interactive dashboards during interviews

Additional “drill-down” when new information is

discovered


5 of 36

Common Structured Data Anti-Fraud Tests

Payment stream analysis Altered invoices, goods not received, duplicate invoices,

unauthorized payments, excess quantities purchased,

requestor/approver conflicts

Vendor master/employee master

comparisons Conflicts of interest, fictitious vendors, background due diligence

Employee expenses and P-card expenditures Over limits, unauthorized expenses, miscellaneous/sundry

expenses, bribery


6 of 36

Common Structured Data Anti-Fraud Tests

Payroll Ghost employees, unusual payments, no

deductions/evaluations, direct deposit account analysis

Bribery and corruption Bid rigging, conflicts of interest, contract compliance, kickbacks,

payments to outside consultants, inappropriate donations


7 of 36

Who

Recipient

Corrupt

IntentBusiness

Purpose

Payment

FCPA

Violation

The FCPA potentially applies to any individual, firm,

officer, director, employee, or agent of a firm and any

stockholder acting on behalf of a firm.

The person making or

authorizing the payment must

have a corrupt intent, and the

payment must be intended to

induce the recipient to misuse

his official position to direct

business wrongfully to the

payer or to any other person.

Prohibits paying, offering, promising to

pay (or authorizing to pay or offer)

money or anything of value.

Extends only to corrupt

payments to a foreign

official, a foreign political

party or party official, or

any candidate for foreign

political office.

Prohibits payments

made in order to

assist the firm in

obtaining or

retaining business

for or with, or

directing business

to, any person.

Source: www.justice.gov/criminal/fraud/fcpa/docs/lay-persons-guide.pdf

DOJ’s Five Elements of an FCPA Violation Good Framework for Developing Corruption Tests


8 of 36

Anti-Bribery and Corruption

Analytics Work Plan Element of an

FCPA violation Sample analytical tests

Who (Vendor & agent analysis)

• Stratify agent payments by time period and currency amount

• Stratify agent payments by contract or project code

• Identify large, round-sum payments by agent and frequency

• Identify top ten agents with highest expense-to-fee ratio

• Analysis of agent commissions, recurring commissions,

large/round dollars, etc.

• Identify payments to vendors not listed in the vendor master

• Cluster bottom ten agent payments and frequency

Corrupt intent (Text analytics)

Concept analysis of free-text fields of selected GL data:

• Cash disbursements

• Travel and entertainment

• Consultant/agent payments

• Marketing expenditures

• Charitable expenditures

• Customs clearance account

• Cost of sales


9 of 36


Analytics Work Plan (continued)

Element of an

FCPA Violation Sample analytical tests

Payment (Cash disbursements

analysis)

• Cash disbursement analysis by country

• Petty cash account analysis in selected countries

• Payments made w/o a P.O. or to payee not in vendor master

• Compare payment activity to Transparency International’s

CPI index (generate heat map)

• Analysis of travel and entertainment by country

• Analysis of payments to charity by country

• Analysis of payments made to customs agents by country

• Vendor background checks/third-party due diligence


10 of 36


Analytics Work Plan (continued)

Element of an

FCPA Violation Sample analytical tests

Recipient (Customer / buyer analysis)

• Customer segmentation by country

• Government customer segmentation by country

• Transparency International’s CPI index

• Sale price and margin analysis across customers by product

• Free goods or credits as a percentage of sales

Business purpose

test (Revenue analysis)

• Trending analysis of revenue by country

• Stratification of revenue by country

• Trending analysis of revenue by customer

• Stratification of revenue by customer

• Calculation of effective commission rate paid to agents


11 of 36

Procure-to-Pay,

Accounts Payable Tests


12 of 36

Vendor Cash Disbursement,

Payment Analytics

Analytics include:

Vendor stratification and clustering by amount and over

time

Requestor/approver conflicts—fake invoices or ghost

vendors

Conflicts of interest—employee and vendor master

comparison

Text mining and keyword searching of suspicious

payment descriptions

Identify government vendors or payments in unusual

foreign currencies


13 of 36

Questions to ask:

Did executives have fake vendors on the vendor

master linked to their home, friends, or personal bank

accounts?

Were there duplicative invoices being submitted to

extract cash?

Were executives overriding controls to extract cash for

bribes?

What is the nature of the vendors that certain

executives approved?

Vendor Cash Disbursement,

Payment Analytics


14 of 36

Accounts Payable Analytics

Vendor stratification

Round-dollar amounts

One-time payees or payees

not on vendor master

Duplicative payments

High amount/low frequency

or low amount/high

frequency

Keyword search for

suspicious payment

descriptions

Concept analysis of

free-text terms

Statistical anomaly

detection

Payments in unusual

currency

Employee and vendor

master conflicts

Payment and vendor

risk scoring


15 of 36

AP Demonstration


16 of 36

Travel and Entertainment Expense

Analytics Analytics include:

Where are expenses

occurring (country,

state, city) by

category?

What is expense for?

How much?

Who is submitting?

Duplicate expenses

Text mining and

keyword search

EY’s interactive T&E Expense Review Dashboard


17 of 36


Analytics Questions to ask:

Are there patterns with respect to who executives

entertained (e.g., state-owned entities, PEPs, and

other government officials)?

Are there patterns of inappropriate expenses

(nightclubs, gift giving, etc.)?

Are there bogus reimbursements to fund improper

cash to executives so they could to entertain public

officials?


18 of 36


Analytics Stratify by top employees

Stratify by expense

category

Round-dollar amounts

Keyword search expense

descriptions

Concept analysis of

expense descriptions

Entity extraction—look for

proper names in

descriptions

Statistical anomaly

detection

Low dollar/high

frequency

Weekend T&E incurred

Focus on T&E with

government officials

Employee risk score


19 of 36

Travel and Entertainment Example “Who Entertained Whom, Where, What For, and For How Much?”


20 of 36

Other Examples


21 of 36

Customer Analytics

Analytics include:

Customer stratification and clustering by amount and

over time

Revenue recognition and time series analysis at

quarter or year end

Free goods, credits, and discount sales analysis/

comparison

Conflicts of interest—employee and customer master

comparison


22 of 36

Customer Analytics

Questions to ask:

Are any customers getting favorable treatment from

certain executives in terms of average sales price,

discounts, credits, etc.?

Are there patterns that suggest potential revenue

recognition concerns (e.g., sales booked in December

and returned in January)?

Are there customers related to certain executives that

pose conflict of interest concerns (e.g., family

members, same last name, same bank account, same

address, etc.)?


23 of 36

Selected GL accounts

Stratify by selected, high-risk accounts

Adjustments to dormant accounts

Look for reserve or miscellaneous accounts

Round-dollar entries

One-time or end of year/quarter postings

Keyword search JE descriptions

Concept analysis of JE descriptions

Entries made on weekends or holidays


24 of 36

Transaction Risk Scoring

Filter by selected

analytics Review breaches on

targeted analytics


25 of 36

Challenge: Analyze 400,000 transactions for

suspected bribery payments per DOJ subpoena

1. Team reviewed 2,000 transactions from ledger data (text

comments, amounts, dates, etc.)

Identified 400 suspicious and 1,600 non-suspicious entries

2. Created statistical model: “is suspicious”/“is not suspicious”

3. Applied model to remaining 398,000 transactions

4. Identified 14,000 new suspicious transactions

With confidence over 95% similar to “is suspicious”

Identified over $8 million in highly suspicious payments

Methodology accepted by the DOJ for this case

Predictive Modeling


26 of 36

These three variables

were the highest

drivers of suspicious

transactions

These variables were less important when predicting suspicious

transactions. Client should focus resources on monitoring efforts for the

three leading drivers, which accounts for 80% of the predictive value.

Perform Variable

Analysis

Predictive Modeling Focus on the Variables That Matter Most


27 of 36

Practical Problem 2: Finding

Potentially Improper Payments


28 of 36

Practical Problem

Global manufacturing company

Focus on China business activity

Review of accounts payable, T&E, and GL

Analyze dashboard

Analyze selected reports

Analyze transaction risk scoring output

Build your sample selections

Challenge: Who can spot the most improper payments?


29 of 36

Unstructured Data Analytics


30 of 36

Unstructured Data Sources

Instant message

Social media posts

Video

Voice

News feeds

User documents

Email

Presentations

Sales and marketing

iPhone apps


31 of 36

What You Might Have Heard

From eDiscovery

Keyword search

Concept analysis

Predictive coding


32 of 36

Now Let’s Talk Text Mining

Emotive tone—happy, sad, angry, confused,

communications

Ethical behavior—harassing, secretive, cursing

Entity extraction

Text link analysis

Social network

analysis

Fraud triangle

analytics


33 of 36

Social Network Analysis Who Is Talking to Whom?

The first 48 hours: Live server log files pulled for early case assessments

Understanding a complex organization’s true organization chart:

Identification of relationships versus activities, amongst actors

Triage of custodians and communications: Rapidly identify and point to

communications of highest interest

Sample analytics criterion:

1. Private communications where 90% of all communications is outbound

2. Private communications where content is FORWARDED outbound more than 35% of time

3. Private communications where attachments are sent outbound more that 35% of time


34 of 36

The Fraud Triangle* Applying Theory to Electronic Communications

*Donald R. Cressey's Fraud Triangle: Incentive/Pressure, Opportunity, and Rationalization are present when fraud exists.


35 of 36

Interactive Dashboard

Fraud Triangle Analytics – Interactive Dashboard


36 of 36

Rogue Employee Analytics Risk Scoring Model—Peer Stratification Dashboard Review

Peer Stratification

Dots represent clusters of high-risk communications

that can be reviewed by clicking.

Detail-Level View

taking data analytics to the next level...the first 48 hours: live server log files pulled for early...

Documents