Analytics for fraud investigations

Many have wondered why one would perform analytics for fraud detection (or prevention) in good times (business as usual) and why would you when there is no whistle blown about a fraud suspicion?

Is this not a grey area where people sensitivities are involved and news about investigations can affect the organization’s brand image? Being trolled over social media that becomes painful to counter? But the CFO’s office is the hardest hit when it comes to answering the Board on the financial losses incurred due to fraudulent activities that leaves a gaping hole in finances.

Traditional anomaly detection is conducted routinely by internal or external auditors. But they are insufficient, not backed by powerful tools and the objective and terms of reference for these audits limit the investigation to a certain level and no more.

Often referred to as “Forensic Audit”, fraud detection methods assume great significance because it requires digging deeper than normal audit to examine and investigate internal control failures, conflict of interest, social networks, multiple factors such as behavioural analysis and ability to crunch big data that can extend / expand beyond the time period under the lens.

A prudent and practical approach would be to set up a mechanism that can proactively provide analytics and flag off high risk areas that need immediate attention.

Fraud Analytics is the use of analytical technology with intelligent business rules and techniques, which will help detect improper transactions like bribery, favouritism, working capital leakage, asset misappropriation, etc. either before or after the transaction is done, so that appropriate steps can be taken to prevent further damage.

Fraud Analytics also helps in performance measurement, evaluate internal control failures and deficiencies, standardize and help in constant improvement that would benefit the overall organization and governance.

Fraud perpetrators use a lot of different and unique techniques which are randomized to prevent discovery and therefore, the techniques used for detection has to be one or many of the following:

  1. Capable of running automated business rules that throw up anomalies that can be further investigated for false / true positives.
  2. Calculation of various statistical parameters like averages (for example average number of calls made, emails exchanged, delays in bill payments, etc.), quantities (for example comparison of total quantities ordered / received / invoiced / returned), performance metrics (e.g. attrition rate pattern amongst certain departments, sales returns peaking immediately after monthly close, etc.), user profiles (e.g., interested party contracts, sudden lifestyle changes by the user, behavioural patterns noticed) etc.
  3. Trend analysis using time series distribution.
  4. Clustering and classification that can help find patterns and associations within data sets.
  5. Algorithms, models and probability distributions of various business activities.
  6. Machine learning and neural networks to automatically identify characteristics of fraud and used later with increasing Big data inputs.

Having a Fraud Prevention program for controlling fraud risks is an important part of Enterprise Risk Management and provides your investors, partners and auditors with more confidence on your demonstrated ability to tackle the same in a sustained manner and not on an ad-hoc basis.

Know the difference ………..

Many people have asked me whether internal controls monitoring is sufficient to unearth suspicious transactions, abuse of processes or frauds. Do you really need another fraud investigation exercise?

Both exercises have different objectives and perspectives and answers different needs (e.g. do we need to prevent or detect, examine historical or current data, use predictive or presumptive approach, bring in concurrent or forensic audit, etc.)

To answer this question, my take on this is as follows:

Continuous monitoring of internal controls of an organization focuses on

  1. Determining sufficiency and deficiency of internal controls on structured business data such as financial accounting, human resources, payroll, treasury operations, etc.
  2. Following a systematic, repetitive approach for testing the effectiveness and efficiency of controls.
  3. Getting periodic self-assessments and certifications for organizational level assertions.
  4. Scanning data after business transactions are performed or committed, thus mostly providing a detective mechanism
  5. Notifying failures of internal controls to responsible persons on an exceptional basis generally based on materiality concept.

Fraud investigation, on the other hand, is more than just monitoring business controls in an organization.

  1. Investigations on suspicious transactions can be far-reaching in terms of timeframes. While internal controls monitoring is usually for current quarter / half year or year, a forensic investigation may necessitate going back into several years to assess patterns adopted by the fraudster and quantify damage caused.
  2. In order to crunch high data volume, one may need to adopt some technology or computer-aided tool for enabling data mining, analysis, simulation, predictive analytics, complex business rules, etc. for determining trends and patterns.
  3. Performing a fraud detection or screening of transactions as a preventative measure before the business transaction is completed is a must in some scenarios – examples – screening high volume payments, credit card approvals / blocking, Bank ATM network validations, etc.
  4. External sources of information and unstructured data like emails, phone calls, whistle blower tips or data when conjoined with internal business transactions may point to failure of multiple controls leading to abuse of power, processes, bribery, corruption, misappropriation of cash or assets.
  5. Individual controls may be very effective, but a combination of controls may point to a different story – for example
    1. controls in the purchase process may be effective, but the purchase officer may have a collusion with a preferred vendor or with another employee.
    2. Multiple approval workflows may be working fine, but splitting invoices or contracts to bypass approval levels may be happening to push through business transactions that may be violative of company policies and favour outside parties.
    3. Administrators authorized for maintaining master data may do a flip flop change in payee’s name to direct payment to themselves once in a while that goes unnoticed.
    4. Working on holidays or late shifts and suspicious write offs – say inventory or consumables – to cover up thefts from warehouses, plants, etc.
    5. Leakage of financial / competitive information either overtly or covertly, sharing of passwords, succumbing to social engineering attacks, conflict of interests not declared, etc.
  6. Fraud investigation also needs to be flexible enough to add more factors to the analysis or change the thresholds and parameters in the logic for determining exceptions.
  7. Fraud investigation usually starts off with examining existing internal controls and can throw up new insights into the deficiency of internal controls to be strengthened. There is a two-way benefit for groups involved in testing controls and fraud investigation.
  8. In the event of a fraudster being involved, the human behaviour / psychology and the observation and interpretation thereof, plays a large part in concluding the investigations. The user identity needs to be pseudonymized and business operations must go on unaffected until the case is closed.
  9. Upon conclusion, the case may lead to criminal proceedings that requires gathering and submission of evidence in a Court of law. Fraud examiners need to have a basic understanding on the various laws and legal provisions that are attracted for the specific case under investigation.

In summary, internal controls monitoring and fraud investigations are like two arms – inputs from both being useful to each other.

I would rate fraud investigation or forensic audit as a wider and broader platform (as compared to internal controls monitoring), going by the objectives of the exercise and the challenges presented by the sheer volume of data (external and internal) to be analyzed.

Risks caused by frauds

I have wondered many a times what makes this topic interesting at once but dealt with in hush-hush tones when there is an anonymous whistle blown.

Why do organizations and those in the higher echelons postpone / neglect or trivialize the need to look at this risk a little closer (even before an incident happens)?

True (and rightfully so) all organizations give the utmost importance to improving their top line / bottom line revenues and profits, but one fraudster can create a devastating setback to what was built up over the years – reputation, goodwill, customer faith, vendor relationships and so on.

Behavioural analysis can reveal a lot about why such risks can happen and tell-tale signs of perpetrators. According to a study conducted by Association of Certified Fraud Examiners (ACFE) in 2016 for Southern Asian countries, (Courtesy: Report to the Nations on Occupational Fraud and Abuse), fraud perpetrators often show red flag behavioural characteristics associated with their crimes – living beyond their means, unusually close association with vendors, financial difficulties, etc.

In recent times there are many interpretations of what ultimately leads to a fraud. Here are examples of some of them.

  1. Failure of business integrity.
  2. Lack of ethics.
  3. Suspicious business transactions.
  4. Lack of business partner screening and approval.
  5. Unaware of company’s business between parties related to the organizations’ management and employees.
  6. Suspicious movement / physical entry of persons whether during or after business hours.
  7. Excessive authorizations / Breach of passwords / networks / servers / applications caused by either internal staff or external hackers.
  8. ………………………and the list can go on.

When broken down into several root causes like the ones cited above, it becomes easier to tackle the overarching subject of “risk of frauds”. You would realize that several arms of the business functions are responsible for proactively tackling these risks.

A closer analysis of the root causes for these risks related to frauds will point to the underlying factors:

  1. Insufficient or lack of business controls (aka internal controls).
  2. Lack of awareness of ethical standards and integrity in business dealings (lack of Governance principles).

Risks, Controls and Governance are intertwined and cannot be dealt with as isolated topics. In my opinion, there cannot be a debate on which one is more important than the other. One needs to have a holistic view of all three aspects – even if you are not able to tackle all of them at the same time due to either resource or cost constraints in the organization, at least be aware about the inter-relationships.

Even large multinationals keep these topics at arm’s length between internal audit, Board and Audit committee and operational departments, which I think confuses the whole issue at hand. Probably one of the reasons why topics like risk management programs, SOX compliance, technology implementations appear so daunting.

Clearly one has to structure these at a high level and follow a vision statement for effectively bringing in good governance, business controls and risk management programs in a phased manner, but never losing sight of the benefits of an integrated view.