1 Brought to you by the publishers of COMPLIANCE WEEK INSIDE THIS PUBLICATION: KPMG: Creating the Connected Enterprise to Drive Information Insights Unlocking the Potential of Information Starting Small, Scaling Up Big Data Playing a Bigger Role in Fraud-Spotting For All Its Promise, Obstacles Remain Ahead BIG DATA The Risks and Rewards Locked in Vast Oceans of Data An e-book publication sponsored by
2 2 e-book A Compliance Week publication Compliance Week, published by Haymarket Media, Inc., is an information service on corporate governance, risk, and compliance that features a weekly electronic newsletter, a monthly print magazine, proprietary databases, industry-leading events, and a variety of interactive features and forums. Founded in 2002, Compliance Week has quickly become one of the most important go-to resources for public companies; Compliance Week now reaches more than 26,000 financial, legal, audit, risk, and compliance executives. KPMG, the U.S. audit, tax and advisory services firm, operates from 87 offices with more than 23,000 employees and partners throughout the United States. Our purpose is to turn knowledge into value for the benefit of our clients, our people, and the capital markets.
3 3 Inside this e-book: Company Descriptions 2 KPMG: Creating the Connected Enterprise to Drive Information Insights 4 Big Data: Unlocking the Potential of Information 8 Big Data: Starting Small, Scaling Up 10 Big Data Playing a Bigger Role in Fraud-Spotting 12 Big Data: For All Its Promise, Obstacles Remain Ahead 14
4 KNOWLEDGE LEADERSHIP Creating the Connected Enterprise to Drive Information Insights By Jeanne Johnson Organizations worldwide are facing a daunting array of views and claims about the power and peril of so-called Big Data. On the one hand, they are told that the ability to collect, manage, and analyze data effectively can lead to better business decisions and lasting competitive advantage. Indeed, companies that invest heavily in advanced analytical capabilities outperform the S&P 500 by 64 percent on average. 1 And recent research at MIT points to the productivity gains companies can achieve when they adopt data driven decision making. 2 Yet most organizations struggle to find the value in data when it is proliferating at an unprecedented pace and volume both inside and outside their walls. The deluge of data is no longer limited to what businesses and governments and their supply chain partners continually generate, store and retrieve that is, the so-called structured data that resides in their collective data centers, either in-house or, more often, in the cloud. Today it also includes the soaring volumes of external and largely unstructured data generated by mobile device users and via social networking that is changing how 1 An interview with Thomas H. Davenport and Jeanne Harris, Analytics and the Bottom Line: How Organizations Build Success, Harvard Business Review, Sept. 23, Research by Professor Brynjolfsson (MIT) suggests that data-guided management is spreading across corporate America and starting to pay off. They studied 179 large companies and found that those adopting data-driven decision making achieved productivity gains that were 5-6% higher than other factors could explain. companies monitor and assess their performance. Staying on top of all the company information generated from transaction systems is challenging enough, says Jeanne Johnson, who leads KPMG s Data & Analytics (D&A) innovation initiative. But this challenge is compounded by the need to access and analyze insights generated from disparate reporting systems, not to mention the unstructured data generated by a wide variety of external stakeholders. The old conventions for measuring, managing, and monitoring a business as well as assuring the quality of its data will be stressed to new extremes as speed, the need for trustworthy information, and machine learning continue to influence the marketplace. As a result, says Johnson, to succeed in the data-driven economy you ll have to be able to figure out what you didn t know or didn t expect as much as optimize what you did know and could anticipate. Case in Point: Data Drives Business Decisions Specifically seeking the ability to make fact-based decisions, a professional sports team needed help with its strategy for outsourcing concessions and retail operations at two facilities. Transactional and financial analytics were used to evaluate the existing contract with the team s service providers External data as well as internal data provided by the team and its sourcing partners was used to predict future revenue streams under seven different scenarios including in-sourcing, contracting, and joint-venturing with another professional team. The IT, finance, and internal audit functions worked together to create predictive revenue models and dashboards for evaluating the business options. Within five weeks, savings of $1 million per year were identified in the current contract. Armed with the analytics, the organization is now prepared to better operate its current contract as well as make a fact-based decision about where next to take its concession and merchandise business
5 KPMG To help organizations cope with this revolution, the marketplace is offering a variety of technology fixes, but exactly what problem needs to be solved is often unclear, and it can t be solved solely with technology. To cut through the complexity of Big Data, leaders first need to define the business outcomes they hope to drive. Big data and analytics will fundamentally change how companies operate and control activities inside and outside company walls. Jeanne Johnson, Partner, Advisory Services, KPMG We see organizations looking for data precision, but more than ever they need data relevance, says Tom Keegan, a KPMG advisory partner. Technology can only enable the data. The right approaches for gathering the data, assuring its quality, and using it to create value all of that has to be based on the business and what it wants to achieve. Ironically, in the world of Big Data, the key is not to start big. Rather, organizations can succeed by getting specific and staying focused. What problems is the organization trying to solve? What decisions require better information? How can leaders know if they have the knowledge they need rather than simply a lot of data? A few important steps can put leaders on the right path, says Johnson. Focus on business outcomes first and then determine the information needed to achieve those objectives. Leaders need to take a 360-degree view of the data available to them historic, current and predictive focusing first on business outcomes and then determining the information required to achieve those objectives. In this way, they can extract what they need from the data as well as discover what they don t yet know they need, says Keegan. The leading question is, what knowledge do we need to advance the business agenda? By making the business needs of decision makers paramount, organizations will be in a better position to know what information they need to identify, enable, and realize value from across the enterprise and its entire ecosystem. Then they can begin to locate and assemble the available data to meet identified business needs. Starting small, with efforts to create connections across functions, can drive the most progress. Compliance, IT, operations, and other critical functions Case in Point: From Structured Data to Relevant Information After undergoing a large finance transformation, a global energy corporation encompassing numerous distinct businesses operating in 149 countries wanted to improve effectiveness as well as eliminate up to 40 percent of functional cost. It lacked a consolidated management reporting infrastructure and relied on manually generated management reports. To support business objectives, efforts included developing a strategy to manage information that would result in: A single version of the truth across a portfolio of different businesses A focus on what matters, within each business, to improve business performance through the quality and completeness of its information Cost reduction by eliminating duplication and information redundancy and by optimizing the use of technology and shared services
6 KNOWLEDGE LEADERSHIP must work together to achieve enterprise goals. Big data and analytics will fundamentally change how companies operate and control activities inside and outside company walls, says Johnson, noting that data introduces new ways to understand a company. For example, management uses data and analytics to predict market share 6 to 12 months out; audit and compliance teams can use those same sources and methods to answer critical data quality, compliance, and control questions so they can better manage specific regulatory objectives. Despite floods of data, companies often can t find or use what they need. Worse, data may not be perceived as trustworthy. It may not be accurately sourced, clean, relevant, integrated, or broadly available. All these conditions restrict management s ability to make timely, information-driven business decisions and achieve competitive advantage. Data relevance ultimately hinges on data quality and how it is maintained across the enterprise because poorquality data affects every aspect of what is ultimately relevant to the business. Data quality means how well data satisfies its intended use, says Robert Wentz, managing director of advisory services at KPMG. For financial services firms, for example, data sources for regulatory reports must be accurate, complete, traceable, timely, and transparent so that the business and the regulators can have confidence in the data and their stakeholders can have confidence in the business s decisions and its reporting. A robust program for assuring data quality will ultimately drive data relevance, requiring a partnership between business, technology, and operations. Processes Case in Point: Taking Action Based on Data We see organizations looking for data precision, but more than ever they need data relevance. Tom Keegan, Partner, Advisory Services, KPMG. To derive value from data, aim not only for precision but also relevance. Getting value from extraordinary volumes of data is increasingly challenging, risky, and expensive, even as the amount of digital information is increasing exponentially and at a rate faster than the ability to store and manage it. The corporate compliance department of a large consumer products company was concerned about related-party payments by contractors and third parties. Sophisticated analytics were used to: Evaluate payment process controls and a flow of information in transactions over 18 months; Extract and tie together files from the vendor, employee, payables, and invoicing systems for use in the analysis; and Evaluate checks, vendors, customers, and invoice transactions posted to related entities. Analysis identified over $30M in duplicate checks and payments; unsubstantiated payments to contractors and employees being paid by both the company and a third party simultaneously, and substantial internal control deficiencies across a highly modified legacy ERP system
7 KPMG and technology must be tailored to fit the culture and leverage existing management and oversight structures. Success requires executive advocacy and sponsorship, says Wentz. Assuring data quality means integrating the organization, its processes, and its technology tools, all of which may require a full time staff commitment. Over time, if the role is not measured or rewarded, data quality could suffer, which means the business will suffer. In essence, An information-centric organization needs an information-driven mindset from the top down, says Johnson. That means employees must be managed, measured, and compensated on how well they use data to make decisions and drive business outcomes. New ways of running the informationcentric business of tomorrow will require new organizational models that will ultimately transform most organizations. Formal change management efforts will be needed to create a high-performance culture prepared for the organizational implications of new skills, capabilities, and infrastructure, including underlying performance metrics. Apply analytics so that knowledge becomes actionable. Organizations that devote the right resources to analyzing relevant data will benefit from a more informed perspective that will help them make better business decisions and, ultimately, achieve the measurable business outcomes they desire. This perspective will help leaders move beyond a process focus on how things work, to an information focus on why things work in which situations. If you follow the information flow, you can see patterns that might not be obvious if you stick to traditional process and reporting silos, says Johnson. What information is produced and how? Who consumed it for what purpose when? How is information quality assured and acted on? That s how you find out not just what you ve got but what you may be missing, and then do something about it. Data becomes a valuable asset when it can be transformed into actionable information. A controlled, measurable approach is key to cutting through the complexity of Big Data. Success requires executive advocacy and sponsorship. Robert Wentz, Managing Director, Advisory Services, KPMG Behavioral changes are already taking place in large companies, where social media pressure has forced some to reverse positions that made perfect sense in the boardroom but were rejected by the marketplace. In this context, organizations will measure the value of data by their ability, for example, to: Predict the combined tax, regulatory, and business impacts of a planned global expansion or an accounting change that affects selected products or divisions, or Leverage the risk-management opportunities that would be possible with better transparency into the financial and operational health of suppliers both upstream and downstream. In short, effectively implemented and appropriately managed, a focus on data and analytics can bring clarity to problem solving and insight to business decisions and outcomes from improving fraud risk management to better understanding the industry issues that influence the organization to benefiting from the business value inherent in using data and analytics to manage risk. That s why D&A capabilities are quickly changing from a technology add-on to standard operating procedure for forward-thinking executives. Jeanne Johnson is a Principal in KPMG s advisory practice and serves as the national leader of the firm s Data & Analytics innovation initiative. She has more than 18 years experience in helping organizations plan and execute transformation and change initiatives including merger integrations, strategic planning and new target operating models, and data management and governance programs. KPMG, the U.S. audit, tax and advisory services firm, operates from 87 offices with more than 23,000 employees and partners throughout the United States. Our purpose is to turn knowledge into value for the benefit of our clients, our people, and the capital markets
8 8 e-book A Compliance Week publication Big Data: Unlocking the Potential of Information By Todd Neff Companies are creating oceans of data every day. Many are drowning in it. But the savviest companies see the future of compliance deep in those vast seas of ones and zeros. Collectively, we create 2.5 quintillion bytes of data every single day, according to IBM. A quintillion is a one followed by 18 zeroes. That s so much that 9 of every 10 bytes accumulated on servers and storage media around the world were produced just in the last two years alone. In 2011, we hoarded over 1.8 zettabytes (1.8 trillion gigabytes) added research firm IDC, meaning that the world s data volume is doubling every two years. It s a happy coincidence, then, that amid this explosion of zettabytes, a new set of tools is emerging to harness mass volumes of diverse data at speeds once inconceivable. The new buzzword Big Data isn t about the data, which is indeed big. Rather, Big Data is about what we can now do with it all. The possibilities are tantalizing in everything from retail marketing to geospatial imaging to fraud detection and risk management. LinkedIn uses Big Data to power its people you may know functionality. Facebook uses it as a source for reporting and analytics, as well as for machine learning. Twitter uses it to store and process tweets, log files, and spot user trends. Orbitz uses it to understand user preferences. Chevron uses it to process seismic data from ships cruising for oil reserves. Zions Bancorp uses it to expand its fraud detection net. And so on. It s really about one thing: the ability to cost-effectively handle this growing volume and velocity of data, says David Corrigan, director of strategy for IBM Information Management, a major Big Data player. Yet it s still early days for Big Data. Even in mid-2012, articles on the topic often include a reference to analyst Doug Laney s 2001 description of the three Vs of Big Data. Laney emphasized that the Velocity of data processing and the ability to handle its structural Variety (and hence difficulty of sticking it all into the tidy slots of a relational database) were as important as its Volume. It s a bit like mentioning World Wide Web inventor Tim Berners-Lee in current stories about the Internet. It s really about one thing: the ability to cost-effectively handle this growing volume and velocity of data. So where s a governance, risk, and compliance specialist to begin? First understand that if you re not a Big Data expert, you re not alone. Joe Gottlieb, president and CEO of Big Data firm Sensage, placed Big Data at about 1.5 on a scale of 10 along the technology-adoption curve, or somewhere between bleeding edge and leading edge. Right now, it s not for the faint of heart, Gottlieb says. There s a lot of investment going into it, and a lot of players who will say, We ll help you overcome the immaturity of Hadoop by wrapping ourselves around it. Hadoop, the foundational technology of Big Data, is a way to use distributed processing to crank through massive data sets on clusters of computers. Its name derives not from a Hindu god, but rather a favorite stuffed elephant of the infant son of Doug Cutting, the programmer who developed it at Yahoo starting in Hadoop and other Big Data tools like MongoDB and Cassandra all have the ability to handle massive amounts of data ranging from structured information like that populating tidy rows and columns of relational databases to unstructured data in the form of free text, images, and video with relative ease and at low cost. Big Data provides advantages on several levels. Foremost is that because Big Data is optimized for unstructured data, a company doesn t have to spend a lot of time packaging square-peg data into round-hole relational databases. Big Data is also great for cloud computing and can harness that technology s outsourceable, pay-as-you-go flexibility. Big Data s core software is open source, although companies like IBM do license enhanced versions aimed at compensating for Big Data s technological immaturity. And the software is fairly intuitive for experts in traditional databases. If you re familiar with database technologies, you re in a good position to quickly learn some of these new data stores whether it s Hadoop, MongoDB, or Cassandra, says Brian Gentile, CEO of business-intelligence software firm Jaspersoft, which plugs into Hadoop and other Big Data sources. There are still plenty of drawbacks, too. Talent is still an issue. Gentile says that much of the Big Data technical expertise still resides at vendors, something that will change as implementations build competence at client sites. The more David Corrigan, Director of Strategy, IBM Information Management
9 9 important talent gap may not be technical at all, he adds. It may have more to do with collaboration and bringing varying disciplines together. For example, says Gentile, a group of mathematicians, computer scientists, and financial gurus in the Ukraine have built a business on adding a huge amount of domain knowledge about how financial markets work to an open-source Big Data platform and packaging and selling their results They re making a fortune, Gentile says. For GRC professionals, the definitions of success are different, but the basic approach is the same, says Richard Anderson, Crowe Horwath Global Risk Consulting s director for the United Kingdom. When you begin to understand your value drivers, you can ask the disruptive questions: What s going to change about it? How can we see the signals? he said. The megaopportunities and mega-threats are outside not just internal. That s what we can do with Big Data that s the strategic excitement. Among GRC types, Big Data could provide a vehicle to broader thinking, says risk and compliance lecturer, author, and consultant Michael Rasmussen. THE RAPID GROWTH OF GLOBAL DATA The Production of Data is expanding at an astonishing pace. Experts now point to a 4,300% increase in annual data generation by Drivers include the switch from analog to digital technologies and the rapid increase in data generation by individuals and corporations alike. Below, Computer Sciences Corp. examines how data has expanded in terms of zettabytes, or Zb (units of computer storage equal to 1x10 21 bytes) since 2009 and what s expected by 2015 and Size of Total Data Enterprise Managed Data Enterprise Created Data.79 Zb 1.27 Zb.96 Zb.36Zb Source: Computer Sciences Corp. 7.9 Zb 6.32 Zb 2.37 Zb 35 Zb 28 Zb 10.5 Zb A lot of times now, it s, I ve checked my check boxes of what s required of me today to pass the scrutiny of the regulator and the auditor, and not thinking big-picture, Rasmussen says. IT is focused on information security issues, corporate compliance, anti-bribery and corruption, and Sarbanes-Oxley. Nobody s thinking about how we look at this more holistically. Corrigan says experimentation is a low-cost way to see how Big Data might yield big business value. The software is open source or available in free trial versions; resources like IBM s Big Data University can help get IT staff up to speed. It s proving that this technology can do something different, Corrigan says. Let s say I have a hypothesis that casting a wider net and capturing more data yields better insights. Are ten years of transactions better than two years? Well, let s prove it. Carl Lackstrom, vice president of risk management and internal audit for Irving, Texas-based healthcare information firm HMS, says his company is Lackstrom dipping its toes into the Big Data waters. The company has long dealt with huge amounts of data, he says, but in structured, industrystandard formats. Like most companies that have looked at it, HMS is in the earliest stages of adoption. I think at best we re taking some of the initial steps that would enable us to consider Big Data in the future, he says. He says Big Data could help enhance its customer offerings as well as provide value from a risk-management and audit perspective. The more data you have in a system with the infrastructure that allows you to do more analysis with it, the more opportunities there are from a risk and audit perspective to understand what s happening with the company, to identify potential issues and control gaps, and to leverage the risks and controls we have, Lackstrom says. But first, he says, hard thinking is needed and there are more questions than answers: What data do we have? What data do we need? What kinds of metrics do you use in terms of evaluating returns on investment? How do you monitor these projects to make sure you re getting value out of them? For something like Big Data, a lot of the vendors out there let s be frank they re trying to sell their products and services and there s a lot of pie-in-the-sky thinking, Lackstrom says. If you haven t thought through what you re trying to get out of these projects, you could very well be pouring money down the drain.
10 10 e-book A Compliance Week publication Using Big Data: Starting Small, Scaling Up How to begin the process of managing your data: what tools to use; where to focus your efforts; and defining data risks By Alix Stuart Big Data is a big deal for Corporate America right now, yes but that doesn t necessarily mean the idea is, well, a big bang. A series of familiar ideas writ large may be the better way to put it. Take the property and casualty insurance market. Underwriting policies has always been a mix of art and science, says Claude Yoder, head of global analytics for insurance broker and risk adviser Marsh, but with the advent of Big Data, it s added more of the science flavor. For example, it s no surprise that the taller a building is, the more likely it is to fall over. With today s extensive data and predictive models, however, insurance providers can now quantify exactly how much more likely that occurrence is, and put a price on topple risk. The enhanced analytics doesn t replace underwriting; it complements it, Yoder says, which makes pricing much more sophisticated (read: harder to for customers to negotiate) as a result. That idea of evolutionary improvement in the understanding of data, giving you more precise insights one iteration at a time, will be recurring theme as Big Data matures. Little surprise, then, that the early adopter of Big Data is the financial services sector, which has long been a heavy user of data and analytics. Banks and retailers have been monitoring transactions and flagging suspicious ones for decades, says Norman Marks, a vice president for SAP and governance expert. The issue now is that the explosion of data makes it difficult to mine all that in time with traditional tools. Big Data, however, also will not come to pass overnight. At $5.2 billion Frontier Communications, vice president of internal audit Neil Frieser has steadily seen more requests for analyses of large chunks of data. One request was a report that can verify the number of new customers each month (as opposed to existing ones who open new accounts); another You don t just wave a magic wand... It s a lot of smaller, lower-value things that we can do that over time should have a bigger impact. was a way to monitor compliance with the company s strict new caps on customer service credits. Frieser has been at it for more than two years, and still considers the effort nascent. You don t just wave a magic wand, he says. It s a lot of smaller, lower-value things that we can do that over time should have a bigger impact. Yet, as slow and as incremental as the understanding of Big Data may be, the amount of Big Data cannot be ignored; compliance, audit, and risk Marks executives do so at their peril. You ve got an explosion in the data, a dramatic reduction in cost of storing that data, and then you ve got the tremendous improvement in quality of getting the data out, plus advances in predictive analytics, which allows you to take all that data and look in front of you, Marks says. The opportunity is fantastic. What You Know Already So, where to begin? For starters, define which risks concern you, or which policies you most want to monitor for compliance. Then look across both structured and unstructured data (including s and social media), to select the items most likely to drive the risk or at least yield some insights about it. Given the volume of data, You don t go searching the haystack until you know what you re looking for, Marks says. Marks advises first nosing around other parts of the company to see whether they already have any Big Data projects underway; the marketing and procurement departments are likely suspects. Social media monitoring is mostly driven by marketing, but there are certainly risks that one could divine from the comments people make about the company, and its suppliers, he says. People in compliance can piggyback on systems that other departments are already using, whether it s marketing, finance, or supply chain. In some cases, executives discover that existing projects begun under some other rubrics fit quite nicely into the Big Data category. At Blue Cross and Blue Shield of North Carolina (BCBSNC), Director of Audit and Risk Management Richard Supinski says the continuous monitoring process he started two years ago is absolutely a Big Data project, and Neil Frieser Vice President of Internal Audit, Frontier Communications
11 11 has shown impressive results. For years, the $5.5 billion health insurance provider could only look at a sample of the millions of claims it processed each month, and compare that with the samples it had drawn from previous months. That sort of auditing was necessary to comply with National Association of Insurance Commissioners model rules, but it didn t give the business much actionable data. Supinski s goal was to get a window into the entire set of transactions each month, without adding new software, staff, or other types of cost. Today, working with existing tools (SQL and a dashboard application called Excelsius), Supinski and his team of three put together a report within a week of the month s close that shows how many duplicate claim submissions the insurer received, which healthcare providers were among the top offenders, and which had shown the greatest increase in such mistakes compared to past months. With that more holistic data in hand, BCBSNC has been able to reach out to the providers and nip a number of errors in the bud. Now that they know we re measuring it, they seem to be more concerned about how many [erroneous claims] they submit, Supinski says. He notes that that duplicates as a percentage of all transactions have declined from about 14 percent of all claims to around 9 percent in the last two years. Banks and retailers have been monitoring transactions and flagging suspicious ones for decades. The issue now is that the explosion of data makes it difficult to mine all that in time with traditional tools. Norman Marks, Vice President, SAP Scaling Up And as Supinski quickly found out, one analysis tends to beget another. Looking at duplicate submissions, for example, flagged a related problem: so-called corrected claims, which initially had problems and needed manual review, and then appeared as duplicates. The team now runs a separate report for those snafus, which are also now declining. Supinski also runs reports for accounts payable transactions, to eliminate double payments to non-healthcare vendors; that exercise has led to reviewing travel and entertainment expenses separately. Other requests for reports are streaming in, but with manual formatting still required for most, Supinski says he will soon need to automate more of the process to meet demand. That automation could take several forms, he says, including extending what he has or buying something entirely new. One of the most appealing options to Supinski is Infogix, which could stream data directly into easily digested dashboards on a daily, rather than monthly, basis. Given the cost of such investments and the difficulty of pinpointing future costsavings, however, it may be a couple of years before we get there, Supinski says. Other organizations have taken the opposite approach. At Frontier, Frieser says he started with a software tool (ACL), looking for ways his department could partner more closely with operations; he then set out on something of a marketing campaign to persuade operational managers to make use of it. We haven t had an overwhelming stampede of people clamoring for us to write new reports for them, Frieser admits, but he is building a client list within the company slowly. His department now runs two to five reports for each of six major areas of the company, including customer service and accounts payable. This year he will also use the tools for internal audit purposes, aiming to assess 100 percent of datasets where possible and selecting smarter samples in other cases. Long term, Frieser wants to find cost savings that ultimately could help drive earnings per Frieser share. Regardless of the tools in hand, however, compliance experts say that using Big Data wisely largely hinges on the ability to collaborate with other human beings, in order to tease out the right insights. We really depend on the business units to give us feedback on what we pull; to tell us what are really errors and what are false positives, so it s a continual collaboration effort Blue Cross Blue Shield s Supinski says. You can t let it go on automatic. The big takeaway about Big Data: don t get discouraged. We are only just starting to understand how Big Data can be used, Marks says. Like with many things, the use of Big Data by a company is only limited by availability of data, technology, and most importantly, imagination. Look for these efforts to ramp up at several companies in the very near future.
12 12 e-book A Compliance Week publication Big Data Playing a Bigger Role in Fraud-Spotting By Alix Stuart Ferreting out fraud is never easy. For years, compliance professionals have relied on the bravery of whistleblowers, the mis-steps of perpetrators, and a good amount of luck to uncover wrongdoing both inside and outside their companies. That may all be changing with the advent of the Big Data era. These days, high-powered analytic tools can crunch through enormous quantities of structured and unstructured data, producing an exponentially greater set of comparisons within the data on any given afternoon than a human could in a month. As companies refine their tools and techniques, catching fraudsters may soon become more a matter of learning how to properly interrogate a computer program rather than putting gumshoes on the case. Like most big data applications, using analytics to help spot fraud is not an entirely new concept. For at least two decades, internal auditors have used tools like ACL and Caseware to manage very large quantities of data, typically structured or numerical data, says Allan Bachman, education manager for the Association of Certified Fraud Examiners and former director of internal audit for a private college. What s new is that now such tools can handle non-numerical data, like employee files or audio from hotline calls, vastly expanding their reach. The ability to analyze text and other unstructured data has become a huge thing, he says, with s and social media activity yielding plenty of insights about what is going on behind the numbers. Indeed, the old rules-based queries are easily evaded by smart thieves who know how to hide in numerical patterns. Fraud is about going where rules don t exist, says Vincent Walden, a partner in Ernst & Young s fraud investigation and dispute services group. That s where we move to modeling tools that integrate text mining. Walden is currently working to help companies assess their risk of violating various global anti-bribery and corruption laws, including the U.S. Foreign Corrupt Practices Act and the U.K. s Bribery Act. Corruption is an area of hot interest for regulators; the Securities and Exchange Commission brought 20 Foreign Corrupt Practices Act cases in fiscal year 2011 and seems intent on keeping the law in the headlines, with a recent $60 million settlement with Pfizer on this issue. Many of the bribery schemes in the cases on record lasted for years before they were detected, and some involved several executives. Walden says that s in part because the analytics required for detecting bribery and corruption fraud schemes are fundamentally different from those [used to look for] traditional financial and accounting frauds, even though both rely on similar sources of data, including the general ledger, accounts payable systems, and travel and expense tracking systems. Detecting improper payments largely comes down to what misguided employees enter into the free-text field of a payment description in the accounts payable system, Walden says. His analytics are designed to identify the most frequently occurring noun phrases in those fields, sorting them by frequency, and then dollar amount. From that, he gets a sense of what s standard (like invoice entry ) and what s out of the norm (like volume contract acceleration, or special advance ), possibly indicating an illegal payment. Sometimes the phrases will be specific one scheme Walden found used the code word black to mark everything related to it while other terms tend to be universal. One of the more suspicious words is special; if a payment is special, it definitely needs to be looked at, he says. What would have taken weeks or even months for investigators to accomplish in the past without Big Data tools can now be done in a matter of minutes. Scanning the results of such a query generally takes about 30 minutes with a cup of coffee, Walden says. On the Offense Plenty of companies, particularly those in high-stakes industries like banking, insurance, and healthcare, are using data tools to protect themselves against external fraud threats. We look at a series of transactions coming through and apply analytical models and standard data mining techniques to determine whether or not a threat is likely present, says Scott Burroughs, manages the software portfolio for IBM s industry solutions, including fraud detection tools such as i2, SPSS, and Content Analytics. One common way that money launderers and insurance fraudsters try to hide, for example, is by using slightly different variations of a name in several cases. Bill Smith may be a victim in one car crash, B.J Smith may be a witness in another, and John Smith may have been a passenger in a
13 13 car crash several months before, an IBM case study notes. Such nuances are unlikely to be spotted by the human eye, particularly if they occur over time and in different business units. With Big Data capabilities, though, you can parse through huge amounts of data and reveal that this person is in the center of all these transactions even though they re not actually executing them, says Burroughs. Armed with such results, insurance companies can decide whether to challenge the claim or ask the claimant for more details; actions which will often scare away less-sophisticated thieves in and of themselves. The tools can also help flag suspicious transactions for a closer look. A lot of what we re trying to do is help clients look at more transactions faster and pinpoint the big impact items, Burroughs says. Along those lines, predictive models aim to figure out which ones are most likely to yield results, sometimes incorporating investigators free-text notes from previous, unresolved investigations to determine whether a new case matches any intangible aspects of older ones. Experts stress that finding fraud in piles of data still relies heavily on human intelligence, in addition to turbocharged Big Data tools. I ve found fraud over four decades, and a lot of it is asking people the right questions, listening to the answers, comparing those to what you thought they would say, and then going to the data to see if it follows what they said, says Don Sparks, vice president of industry relations for data analysis services and tools provider Audimation Services and former chief audit executive for a property and casualty insurance provider. Sparks says much useful data lies under the radar. A search of printer logs, for example, helped him spot a scheme in which an employee illegally printed and sold over $200,000 worth of amusement park tickets that the company was supposed to be giving to charity. Matching up network activity and vacation schedules can uncover people who aren t doing what they say they re doing. Internal fraud investigators can also easily correlate employee records and vendor records to hunt for evidence of dummy companies, a common scheme in which an employee creates a fictional firm, such as a rug cleaning company, and then signs invoices to be paid to it. (In most cases, the two will share some identifier, likely a zip code or phone number.) The tools are all there, the problem is that companies often don t know what to look for, he says. Fraud is about going where rules don t exist. That s where we move to modeling tools that integrate text mining. On the Outside Looking In Then there s the problem of actually getting the data. The one entity that is least likely to use big data to find fraud is, ironically, is the external auditor. There are a number of tools in existence that are very helpful at identifying anomalies and more are being developed, says William Titera, an audit partner with Ernst & Young. However the number-one barrier to using these tools is the inability to get complete, accurate data in a timely manner. That s largely the result of inconsistencies in how ERP systems maintain and export data to auditors, due Vincent Walden, to varying specifications from vendor to vendor and even company Partner, Ernst & Young customizations within the same product. This lack of standardization is a barrier to the use of sophisticated data analysis, which is critical to enhancing audit quality, Titera says. In response, the AICPA s Assurance Services Executive Committee, which Titera chairs, recently issued an exposure draft on audit data standards, in conjunction with all the major audit firms and the three largest ERP vendors, among others, with comments due Sept. 17. None of those obstacles seem to be stopping government agencies, however, which have the power to commandeer just about any data they desire and are steadily accumulating the tools they need to crunch it. Read any recent SEC or Department of Justice complaint and you ll see a healthy dose of evidence coming from searches of and other computer activity. One particularly chilling case: The SEC was able to charge a Bristol Myers Squibb finance executive with insider trading in part because he searched for ways to avoid such charges on his work computer. In fact, if there s any incentive for companies to get more serious about searching their own data for fraud, it may be this: We work on both sides of the fence, says IBM s Burroughs, and the tools are all the same on the law enforcement side as they are on the corporate side.
14 14 e-book A Compliance Week publication Big Data: For All Its Promise, Obstacles Remain By Alix Stuart Without doubt, Big Data is on the rise. President Obama authorized $200 million in March to be spent on Big Data research for the federal government; the CIO of Walmart posted a video on YouTube in August where she proclaimed that retail essentially is Big Data. Any number of surveys find that executives are collecting more data and planning to spend more so they can analyze it. Still, none of that means Big Data will be easy to embrace. The reality is that Corporate America is mis-structured in all sorts of ways to take full advantage of what Big Data has to offer. Current methods of classifying and storing data, for example, can make it difficult for analytical software to find and extract the precise information they need. Many employees have neither the skill nor the time to do Big Data analysis. The workflow processes companies use today might not even generate data you d want to capture and put to use tomorrow. The net result: Few companies are finding diamonds in their piles of data. More common were the sentiments expressed in a survey of 300 business executives conducted by Oracle. Respondents said they are missing out on opportunities that amount to an average 14 percent of annual revenue due to an inability to leverage the data they have. You can see Big Data; you can feel it, you can taste it, says Navin Ganeshan, vice president of products and technology for Centrifuge, maker of an analytics tool that creates visualizations out of large amounts of data. But companies have a lot of trouble figuring out how to systematize it. The promise of Big Data is that it can combine multiple, disparate data sets to yield answers that could never come from studying separate piles of data alone. For example, you might uncover a payroll fraud by matching employee vacation schedules in the HR department with key-card access records in the facilities department, to detect someone entering the premises when he shouldn t be there. You can see Big Data; you can feel it, you can taste it, but companies have a lot of trouble figuring out how to systematize it. Navin Ganeshan, VP of Products and Technology, Centrifuge But even in that simple case, such data typically exists in silos that only a corporate IT department could piece together correctly. So now someone would need to tell the IT department to do so (that would be you, the compliance executive), and the IT department would need the time and manpower to spare (which it never does). And the prospect of incorporating useful data outside the company s ownership, like Twitter or Facebook posts? Dream on. Incomplete access to data is the top obstacle to getting crisp analysis, according to a recent survey by Capgemini. There is a tsunami of pent-up need within most companies, says Goutham Belliappa, a principal in Capgemini, and the challenges of data integration are not going to go away, as the [group] that manages the data will have more and more needs in the future. Now, compliance officers do stand a better chance than most in a company of getting their hands on multiple sets of data. But short of running an internal investigation (which has a wonderful way of driving cooperation), convincing others to provide wanted data can still be a battle. It totally makes sense to auto-generate reports, pulling in information from different databases, and then just looking at anomalies to help identify negative trends, says Neil Frieser, vice president of internal audit for Frontier Communications. But sometimes operations management doesn t want to be dragged along for the ride. The pushback, Frieser says, is largely the result of the extra time required for managers to structure meaningful comparison of data and then refining the comparisons to eliminate false positives not to mention time to further investigate any legitimate discrepancies that emerge. In a recent study titled The Future of Big Data, the Pew Internet & American Life Project asked more than 1,000 people involved in technology how they imagine Big Data will evolve from now through The comments all free-response answers varied widely, but data availability and comparability was a recurring theme. Big Data will not be so big, said Jeff Eisenach, managing director for consulting firm Navigant Economics,
15 15 because most data will remain proprietary, or reside in incompatible formats and inaccessible databases where it cannot be used in real time. The People Problem Even if all the data were perfectly organized and open, however, another reality is that companies will need actual human beings to use it the fabled technology worker who understands the business, someone with strong statistical skills and a deep understanding of the company s business. Such persons are currently about as common as unicorns or the Chicago Cubs in the World Series. Indeed, in the Capgemini survey, lack of skilled labor was the second-biggest obstacle cited by respondents. Without people to analyze the data intelligently, reaching useful conclusions to drive the business is nearly impossible, various respondents said. Even worse: Without the right people, decisions that do get automated are more likely to lead to disaster. As Michael Knorr, head of data and integration services for Citigroup, commented in Capgemini s report: The more money that is at stake in a decision, the more important people are. For example, automated loan decisions can work well in the consumer market, where errors are relatively easy to correct with a phone call. In the commercial world, however, a loan that is erroneously rejected for a time-sensitive need like a shipment of cargo can lead to large losses. The good news is that Big Data is improving on numerous fronts, with the next generation of tools aiming to make information attainable for dummies or at least the ordinary business executive. For starters, more efficient storage of data means more efficient retrieval, and more analysis in real time, says Neil McGovern, senior director of financial services product management at SAP. McGovern notes that data warehouses themselves have made great strides in the last 10 years, thanks to a number of advances including column databases that can organize data fields in relation to There is a tipping point when the value in Big Data exceeds the cost of obtaining that data. Neil McGovern, Senior Director of Financial Services Product Management, SAP each other, and can also recode certain types of numbers such as zip codes to make them smaller. Nerdy? Yes, but the advances are still critical. Next, he says, is to make analysis fast enough that programs can find and read the data at its underlying source rather than in the data warehouse, which saves the step of putting data there. SAP is among the many software heavy-hitters trying to achieve such breakthroughs, but a flock of startups are dedicated to Big Data as well. Some are focused on data visualization, such as Clearstory, backed by Google Ventures; others, including Centrifuge, aim to make data integration a non-issue by integrating pieces of data as they re created. Such new tools could even help organizations already on the path to a Big Data strategy. Investment banks, for example, have long been using analytics to track possible breaches of the firewall meant to exist between research analysts and traders. They ve already built really sophisticated systems to flag any events that might be a firewall cross, such as a trader having a phone conversation with someone on other side of wall or two individuals being in same conference room at same time, Ganeshan says. But the price for that effectiveness? Compliance groups at such banks now get 7,000 to 10,000 alerts per day, an overwhelming number. Centrifuge tries to solve that problem by pulling in even more data, such as a trader s trading history, or history of conversations with particular people, to give a better sense of whether those encounters are illicit or acceptable. Our focus is completely on enabling normal business users, who are not necessarily tech experts, Ganeshan says. For most businesses, however, the best Big Data strategy right now is to proceed cautiously. There is a tipping point when the value in Big Data exceeds the cost of obtaining that data, says SAP s McGovern. And that tipping point will arrive sooner or later, as the cost of tools comes down and the value becomes more apparent.
16 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS The value in big data is all in how you see it. There s no getting around it, data is everywhere. But it doesn t help unless you can see the big picture. And that takes perspective. It s that kind of perspective you ll find in KPMG s approach to Data & Analytics. We help you access and analyze complex data from across your organization, then turn this information into clear, actionable insights. So you can create more value from your data. And keep your organization moving in the right direction. Learn more about our perspective. Contact Jeanne Johnson, Principal, Advisory at or or kpmg.com