Fraud Auditing, Detection, and Prevention Blog

Fraud Data Analytics for Shell Companies: A Worked Example

Jun 7, 2018 12:17:00 PM / by Leonard W. Vona

Shell companies are a common fraud scheme you might come across when carrying out a fraud audit. Let’s take a look at how you can implement fraud data analytics into your audit when approaching shell company schemes in particular as a worked example.

The Basics

When it comes to using fraud data analytics there are a few basic rules your team need to follow in order to accurately search for a fraud risk statement:

  1. Understand what you are searching for. This is the most important rule of any fraud audit.
  2. Every business transaction must link to a master file data.
  3. Every business transaction must also link to transaction file data.
  4. Develop a plan based on the specific fraud risk statement.
  5. The fraud data analytics must search for pattern and frequency that correlate to the fraud risk statement.
  6. Calibrate your fraud data analytics to the sophistication of concealment
  7. Focus on the weight of the data red flags versus any one red flag.
  8. Once these rules are understood and accepted, your search for shell companies can begin. To recap from our common fraud blog post, shell companies are fake companies used to steal company assets.  


There are five primary categories of shell companies:

  • Created
  • Assumed
  • Hidden
  • Conflict of interest
  • Temporary shell companies


Following the most important rule, rule one, your team should first determine which category of a shell company they are searching for.

Moving Forward: A Worked Example

For purpose of this blog we will search for the shell company created by an internal employee that is committing an asset misappropriation scheme by submitting invoices for services not provided. This falls under the ‘created’ category of a shell company.

The fraud risk statement (made up of who, how, what and the impact of the scheme are) would be:

Budget owner acting alone causes a shell company to be set up on the vendor master file, process a purchase order or contract and approves a fake invoice for goods or services not received causing the diversion of company funds. 

Entity Rules for Concealment

We should first take a look at the entity rules when it comes to fraud concealment and how your team might identify that this shell company is linked to an employee. With a shell company, there are several things we might expect to evidence during an audit:

  • At a low level of concealment, there should be a linkage between the employee and the vendor master file. Perhaps the employee has the same address as the shell company. Clearly, the employee has made next to no effort to conceal their identity and so this is fairly easy to uncover.
  • At the medium level of concealment, there should be a limited linkage between the employee and the vendor master file. Perhaps the employee has a different address for the shell company although it is in the same zip code. They have made some, but not a great deal of, effort to conceal their fraud.
  • At the high level of concealment, there is no linkage between the employee and the vendor master file. Therefore, you must go to the transaction files instead. Perhaps the vendor is set up in another state entirely and forwards to their own address although there is no trail in the data for you to follow.


Testing These Rules

The first test your team would carry out will be attempting to match the employee master file to the vendor master file on key fields like address, phone number or bank account number – since a low level of concealment should be assumed and perhaps even hoped for in the first instance. While matching is not easy as it sounds, with a little creativity and effort it does work.

The second test your team should carry out would be a missing data analysis. The theory is that the perpetrator is attempting to control access to the vendor by ensuring that no one contracts the vendor without their assistance.. It is recommended to use a score card to determine the number of fields that are missing identifying information for each vendor. Those vendors with the highest number of missing fields become the vendors of interest in this test. 

Assuming the employee is at medium fraud concealment sophistication, the address fields, phone number, bank account number and email address may provide a linkage of the perpetrator to the shell company even still. I.e. same bank but different bank account numbers. 

The third test focuses on the address field or the bank account number. Your team knows that the funds are either mailed or wired so should start with the address field. Begin by looking for vendors that are using a shared office environment to provide the illusion of a physical office without actually being a real company. UPS stores now have a mail box service. Both of the address types start with a street address, but then have unique number for receipt of the mail so are fairly easy to identify. Searching in the street address field number two for the unique number can quickly confirm your suspicions.

Finally, the fourth test is to search for a pattern and frequency in the invoice table and then circle back to the master file data for anomalies. Your team is looking for whether all invoices for a vendor are below a control threshold, all within a certain dollar range and all even numbers all posted to a general ledger code for professional services and no purchase order. Then you can match the bank routing number of the manager to the vendor, if the same we have a suspicious transaction.

Next Steps: Transaction Analysis 

Moving on from these tests, your team would then go on to perform transactional analysis. Transactional analysis is particularly important for high level concealments of entities whereby there are no obvious red flags within the entity data. We will cover exactly how to perform tests on transactions in the next blog post in the series.

Transaction rules are a little different from entity rules, but there are several ways you can approach transactions to look for evidence of a shell company. You might look at invoices and their numbers – uninterrupted sequential invoice numbers, for example, would be a red flag when you do this since this is evidence that the vendor is not invoicing any other companies.

When doing this, it is essential that you make sure your plan based on the fraud risk statement.

Transaction Fraud Data Analysis: The Basics

There are three transactions your team should consider when looking into a shell company scheme:

  • the purchase order
  • vendor invoice
  • vendor payment


Within, these three transactions, there are five pertinent data fields:

  • document date
  • transaction amount
  • document number
  • description field
  • general ledger account number

Document Date

The document date field is used to identify internal control circumvention and speed of transaction analysis. By comparing the purchase order date to the invoice date your team can determine if purchasing was circumvented. Further, by then comparing the invoice date to the payment date your team can also understand the progression of this scheme since as the financial pressures grow the need for money often accelerates.

Document amount

Your team should search for vendors where all invoices are:

  • below a control threshold
  • recorded in one budget owner’s account
  • even numbers
  • a recurring number


Your team should create a report by vendor number and name providing the aggregate spend level, total number of records the maximum invoice amount, minimum invoice amount and average invoice amount report. Then your auditors will need to review the report for red flags associated with specific schemes and filter out the vendor lines that are not consistent with their fraud theory.

Document control number

This is one of my favorite fields to search for patterns and a frequency associated with fraud schemes and is important to cover with your team. The easiest pattern to search for is the sequential pattern of vendor invoice numbers. This is not just useful for shell companies but is also helpful when searching for false billing schemes; pass thru schemes and conflict of interest schemes.

By vendor number your team needs to identify the first and last record by invoice date. Your team should then compute a range between the records and compare the range to the number of records. This report should be able to identify all of the schemes mentioned above.

Line item description

This field is great for tangible goods. For services, it will depend on the detail populated in your electronic data.

Line item descriptions always contain alpha and numeric descriptions, for example “6781 apples”. The key is to search for anomalies in the data. Large companies have product description master files that provide a list of every item the company sells. The product number becomes the unique identifier of each item in this example. In large companies the product number can often exceed 10 digits. So, we would search for line item description that has numeric strings that are less than a certain number.

The alpha is a little more difficult, an easy test, is the absence of alpha in the line item description, or the alpha description has less than 5 alpha positions. Sometimes visual examination in the early stages can be useful in the designing the test parameters.

The fraud theory is that the line item description associated with a false vendor is not consistent with a real vendor that has a product description file.

General ledger account code

The field is important for creating and managing homogeneous data files grouped by expenditure category. It is also where a budget owner would have their fraudulent charges recorded.

For example, if there is an allegation that someone is involved in some type of fraud involving equipment rental your team would create a file of transactions based on general ledger codes, then create the proceeding reports for date, amount, invoice number and line item description.

Beyond Basics

By taking a look deeper into the transactional rules and entity your team should be able to find what they are looking for. This methodical approach to an audit using fraud data analytics will ultimately speed up identification and confirmation for your teams and allow them to prevent and detect more fraud schemes than ever before.

At Fraud Audit Inc., we have over 38 years of diversified experience when it comes to fraud. Fraud auditing is something we live and breathe. Contact us today to talk through your training and expert needs. We can better empower your team to approach fraud.

Demystifying Fraud eBook CTA

Topics: Fraud Data Analytics, Fraud Definitions, Worked Example

Leonard W. Vona

Written by Leonard W. Vona

Leonard W. Vona has more than 40 years of diversified fraud auditing and forensic accounting experience. His firm, Fraud Auditing, Inc., advises clients in areas of fraud risk assessment, fraud data analytics, fraud auditing, fraud prevention and litigation support.