Fraud Data Analytics: Selecting the Strategy
In our first blog in a series on fraud data analytics, we identified a ten-step methodology for conducting a fraud data analytics project. In this blog, we will discuss step three:
Which data mining strategy is appropriate for the scope of the fraud audit? There are three considerations:
Fraud data analytics strategy
Precision of matching
Calibrate for sophistication of concealment
Fraud Data Analytics Strategy
There are four strategies that can be used in developing a data interrogation routine. Within each strategy, we need to identify the associated pattern, frequency and the precision of matching. The chosen strategy must be calibrated for the sophistication of concealment.
Specific identification: The design of the analysis is exactly as it sounds; it focuses on identifying a specific data pattern. The process starts with a fraud risk statement and then a specific data pattern associated with the fraud risk statement. The key search words are: matching; duplicate; change; missing and specific anomaly.
Internal control avoidance: The concept focuses on transactions that either avoid internal controls or attempt to circumvent internal controls. The strategy is based on the concept that when an individual is intentionally avoiding internal controls the person may have evil motives.
Data interpretation: This strategy requires the selection of entities or transactions through the visual examination of data on a report designed by the fraud auditor.
Number anomaly: The design of the analysis focuses on a number and the frequency of the number. The strategy is a blend of specific identification and data interpretation. The best part of the analysis is the ease of use. Number anomaly looks for such things as a recurring number, even number, contra number and the use of Benford’s Law. Once the data pattern is identified, then the fraud auditor uses the data interpretation strategy.
When you analyze the master file data or the transactional data, remember to weigh the accumulated significance of all the red flags. In some cases, one glaring red flag—for example, a vendor address that directly matches an employee address—indicates fraud. However, more often auditors must search for a variety of small red flags that collectively indicate fraud.
Precision of Matching
The concept of identifying red flags seems relatively simple until the fraud auditor factors into the equation the following types of matches:
Exact match. The two data elements are an exact match. An easy example is invoice date. Two invoices from the same vendor are dated July 24. From an address field, two or more vendors have the same: street address; city, state and postal code.
Close match. The data elements are similar to another transaction. Two invoices from the same vendor are within three days of each other. From an address field, two or more vendors have the same city, state and postal code, but the street address is different.
Related match. The data elements are similar but exceed the close match test. From an address test we would focus on postal code or all postal codes within a geographic radius.
As a guideline, the fraud data analytics should start with exact matches followed by close matches. The related match tends to be used to uncover a highly sophisticated concealment or a specific allegation of fraud.
Calibrate for Sophistication of Concealment
We have developed a simple system of ranking fraud concealment sophistication based on low, medium, and high. There are two sides of the definition. From the perpetrator’s perspective, it is the ability or intent to conceal fraudulent actions from detection. From the auditor’s perspective, it is the ability of fraud data analytics to identify the fraudulent action for audit examination.
Concealment is either a general condition of the database or a specific action committed by the perpetrator. However, do not think of this as cloak and dagger. In some ways, the general conditions are what allow the fraud scenario to go undetected. The specific concealment actions become the basis of our fraud data profile.
Before you begin, ensure that you have calibrated your analytics to the anticipated level of sophistication of concealment. “Sophistication of concealment” refers to the perpetrator’s ability to hide illicit transactions. Fraud can only be revealed when the auditor’s methods of detection are more sophisticated than the fraudster’s methods of concealment.
To illustrate how the sophistication of concealment and the precision of matching work within fraud data analytics, let’s look at bank accounts:
Low sophistication: There is an exact match between the perpetrators’ known bank account number and the shell company bank account number.
Medium sophistication: There is a close match between the perpetrator’s bank account and the shell company bank account number i.e. same bank routing number but a different bank account number.
High sophistication: No match exists between the perpetrators’ known bank account number and the shell company bank account.
To identify instances of fraud, auditors must adapt their analytics to match the perpetrators’ level of expertise. A few practical guidelines in calibrating your search routine
1. Transactional data is more likely to be effective than master file data.
2. If the sophistication of concealment is high, master file data search routines are not effective.
3. Most transactional fraud data analytics will use the following data elements: control number; date; amount; description and general ledger.
Practical Illustration of the Methodology / Fraud Risk Statement
Payroll function causes a real non-complicit employee who terminates employment (employee physically departs work place without notifying Human Resources) not to be removed from the payroll for a temporary period of time and payroll submits time and attendance records for the terminated employee and either changes the bank account for direct deposit or diverts the paper check causing the diversion of funds.
Strategy: Specific Identification Analysis
1. Starts with identifying all employees with a termination date within the audit scope period.
2. Second analysis is to search for a change to bank account numbers for employees with a termination date:
- Change to bank account number or
- Change to bank account number within four weeks of termination date
3. The first two steps create a homogeneous population of employees for the next stage of fraud data analytics.
4. Third analysis incorporates the sophistication of concealment and the matching concepts described in the next two sections.
5. Sample selection is based on the pattern and frequency described in the next two sections.
Sophistication of Concealment
The key to detecting the scheme is the change to address or bank account. To illustrate, we will assume all employees have direct deposit
Low sophistication, the payroll person has changed all the terminated employee’s bank account to the same bank account number. Most likely a bank account under the name of the payroll person. The frequency analysis would indicate multiple employees using the same bank number and bank account number.
Medium sophistication, the payroll person has changed same bank but a different bank account number. In this scenario, the payroll person maybe in collusion with a bank employee. The frequency analysis would indicate a high frequency of changes to the same bank.
High sophistication, the payroll person has changed a different bank for each terminated employee. The payroll person maybe in collusion with friends or family. Frequency analysis maybe effective depending the number of occurrences.
Precision of Matching
Based on the specific identification strategy, search for a duplicate bank account number using an exact match on bank number and bank account number. If there is no match, then the process should use the close match on payroll person bank number and terminated employees changed bank number.
Fraud data analytics is about identifying transactions that match the data attributes of the fraud risk statement. The strategy defines the data interrogation technique and, subsequently, which employees are examined. In the proceeding illustration, all employees with a termination date in the audit time period and with a change of address or bank account number would cause the selection of the employee for fraud testing.