Forensic Analytics Indiana University

Forensic Analytics Indiana University Kirk Petrie Senior Manager Carol Tannous Senior Manager November 12, 2014 Deloitte Transactions and Business Analytics LLP Copyright 2014 Deloitte Development LLC. All rights reserved. 0

ACFE study recognizes high impact of fraud Economic stress can lead to global fraud problems. [ACFE Global Fraud] Survey participants estimated that the typical organization loses 5% of revenues each year to fraud. If applied to the 2013 estimated Gross World Product, this translates to a potential projected global fraud loss of nearly $3.7 trillion. This can result in increased pressure on professionals to meet earnings targets and increase risk of misappropriation of assets due to layoffs and cost cutting measures. The median duration the amount of time from when the fraud commenced until it was detected for the fraud cases reported to us was 18 months. 1 1 Association of Certified Fraud Examiners (ACFE) Reports to the Nations, 2014 Copyright 2014 Deloitte Development LLC. All rights reserved. 3

Fraud In the News Fraud and misuse occurs across industries BNP Paribas faces fine of more than $10bn in US sanctions investigation Wal-Mart Forecasts More Than $200M in FCPA Costs Sources: The Wall Street Journal, The Guardian, Reuters Copyright 2014 Deloitte Development LLC. All rights reserved. 4

Misappropriation: Vendor (Business Partner) Fraud Leveraging access to payments to misdirect funds Variety of schemes where employees who are entrusted to manage the funds of an organization steal from it. Ghost Vendors Fraudster creating and making payments to a fictitious vendor Disbursement Schemes Distribution of funds in overbilling or other unauthorized disbursement schemes Conflict of Interest Employee-to-vendor or vendor-to-vendor relationship that may result in preferential treatment Difficult to detect due to lack of data Poor or non-existent record keeping of the business partner Vague or scarce detail on invoices or other supporting information Unrecorded communications, such as calls or text messages to mobile phones, between staff and business partners Supply chain staff not taking vacations or holidays, thereby leaving others in charge of day-to-day tasks Copyright 2014 Deloitte Development LLC. All rights reserved. 5

Corruption: The Foreign Corrupt Practices Act Vendor fraud and improper deal making on a global scale Enacted in 1977 and amended in 1998, prohibits a U.S. person to make a payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, another person. Applies to foreign firms and persons who act in furtherance of such corrupt payments while in the United States. Specifies no materiality, making it illegal to offer anything of value as a bribe, including cash or non-cash items Distinguishes between bribery and facilitation payments as long as permitted under laws of the host country Settlements are becoming costly December 2008: Siemens 1 $800 Million Highest ever January 2009: KBR/Halliburton 2 $579 Million Highest for a U.S. company Rising Input Costs + Domestic Market Saturation = Pressure to Globalize Operations 1 http://blogs.wsj.com/law/2008/12/15/siemens-settles-in-us-for-800-mil-leaving-for-german-authorities/ Copyright 2014 Deloitte Development LLC. All rights reserved. 6 2 http://blogs.wsj.com/law/2009/01/26/halliburton-breaks-fcpa-settlement-record-for-us-companies/

Financial Statement Fraud: Revenue Manipulation Manipulating earnings across many levels of the organization Deliberate misrepresentation or omission designed to provide a false sense of stability in an organization s financial position. Can take many forms and initiated at various levels of the supply chain: Invoice and returns manipulation: Suspicious patterns of returns or credits occurring directly after fiscal quarter or year-ends Channel stuffing: Evidence of higher discounts or returns post quarter end. Profile data by product and customer groups to see outliers. Fictitious sales: Unusual patterns of inventory movement or sales entries Bill and Hold: Evidence of customer inventory being stored in warehouse Refreshing Receivables: Re-invoicing and manipulation of receivables Difficult to detect because perpetrated at different levels of the supply chain (including C-suite) and the goal is often only to maintain an image of financial stability. Copyright 2014 Deloitte Development LLC. All rights reserved. 7

Industry-Specific Fraud Forged identities, counterfeit products, hacking, and theft Telecommunications Financial Services Counterfeit, cloned, and stolen credit cards (US leads the world) Money laundering Mortgage fraud Impersonation for credit loans Electronic check deposit / mobile deposit fraud Toll fraud to compromise security (hack) a PBX system Bypass fraud / denial of service attacks E-Commerce and Retail Forged identity for internet transactions / identity theft Stolen goods Counterfeit goods (especially electronics) Procurement fraud Returns and warranty fraud Public Sector Social welfare fraud Regulatory filing and securities fraud Tax payer fraud Contracting and misuse fraud Life Sciences Drug counterfeiting Off-label drug marketing Clinical trial fraud Medical identity theft Automotive and Industrial Identity verification on loan applications Warranty fraud Repair fraud Supply chain fraud, especially in overseas locations Copyright 2014 Deloitte Development LLC. All rights reserved. 8

Potential Challenges to Combat Fraud Cost constraints vs. technology and business needs Lack of interface to financial and reporting systems Multiple accounting systems How do I run my tests on SAP? Oracle? Challenges in procuring data Reduced staff and budgets Demand for increased cost effectiveness Driving more value out of testing procedures (automated versus manual review) Aim for comprehensive review of macro- and micro-level issues Affordability of a technology solution Need for tools to capture, reconcile, analyze, and report data Data security and confidentiality Very large volumes of data, often over a variety of systems Custom solution or out of the box? Global versus domestic scope Need to identify areas and countries of focus Lack of understanding of local customs, languages, and practices Copyright 2014 Deloitte Development LLC. All rights reserved. 9

Analytics in the News Stretching across industries and functions Sources: http://www.forbes.com/sites/howardbaldwin/2014/10/28/big-data-taking-industries-by-storm/ http://archive.wired.com/science/discoveries/magazine/16-07/pb_intro http://www.theatlantic.com/technology/archive/2014/10/big-data-can-guess-who-you-are-based-on-your-zip-code/381414/ http://hbr.org/2012/10/big-data-the-management-revolution/ar Copyright 2014 Deloitte Development LLC. All rights reserved. 11

Approach to Forensic Analytics From identification through analysis 1 DATA IDENTIFICATION Mapping of Electronically Stored Information (ESI) Identification of structured and unstructured data Identify relevant thirdparty data 2 Structured Data FORENSIC COLLECTION ETL Collect data using forensic preservation standards Maintain chain of custody Perform data integrity check to compare completeness 3 Use temporal and entity keys to integrate structured and unstructured data Superimpose data sets to derive context Unstructured Data DATA FUSION 4 Discovery Continuum FORENSIC ANALYTICS Apply rules-based detection on 100% of transaction data to identify anomalies (fraud, terrorism threats, etc.) Develop statisticallybased models to identify previously unknown patterns Optimize anomaly detection rule sets through a feedback loop New Patterns Risk-Ranked, Anomalous Data Sets Copyright 2014 Deloitte Development LLC. All rights reserved. 12

Flavors of Fraud Analytics Techniques A variety of approaches for a variety of findings Predictive Modeling Applying statistical techniques to develop probabilistic outcomes and projections on data sets. Anomaly Detection Applying previously known rules as a look-back against transactional data sets to identify anomalous behaviors. Network Analysis Discover associations between entities to identify potential fraud networks and other collusive behavior. Geospatial Analysis Adding spatial operations enhances analytics with an additional dimension based on geospatial patterns, relationships, and inferences. Text Analysis Analyzing unstructured data for sentiments, common themes, relationship. Copyright 2014 Deloitte Development LLC. All rights reserved. 13

Predictive Analysis Applying statistical and machine-learning techniques to develop probabilistic outcomes and projections on data sets. Adapt to evolving schemes Not based on prior knowledge/patterns Supervised approach addresses known and hidden patterns Unsupervised approach identifies new and emerging patterns Supervised Modeling Regression: Discover complex patterns in historical data with models that describe how fraud is related to one or more other factors using mathematical equations. Clustering: Identify patterns that are inconsistent with normal activity with statistical profiling. Unsupervised Modeling Copyright 2014 Deloitte Development LLC. All rights reserved. 14

Anomaly Detection Identification of items, events or observations which do not conform to an expected pattern or other items in a dataset Unsupervised modeling approach Creates peer groups from which to compare an observation against Can identify new/emerging trends of fraud in the data Tax Return Data Fraudulent returns Fictitious returns ID theft Excessive credits Inaccurate income Criminal schemes Observations deviate from the norm suggest they are anomalous Return preparer fraud Anomaly Types Copyright 2014 Deloitte Development LLC. All rights reserved. 15

Network Analysis Mapping relationships between entities to identify temporal, event, and association networks Reveal normal and anomalous patterns of interaction within and between groups Expose facilitators and enablers of fraud Follow transaction trails using link analysis Identify key individuals such as brokers and gatekeepers Identify potential vulnerabilities within a network Group Number: Broker Isolate Gatekeeper Copyright 2014 Deloitte Development LLC. All rights reserved. 16

Geospatial Analysis Adding spatial operations enhances analytics with an additional dimension based on geospatial patterns, relationships, and inferences. Sometimes flat data doesn t tell the whole story. There may be correlations that are only visible on a map, identified using the following analyses: Cluster analysis Spatial recognition Outliers Fraud hot spot density map. Regional supply chains vulnerabilities Copyright 2014 Deloitte Development LLC. All rights reserved. 17

Text Analysis Analyzing unstructured data for sentiments, common themes, and relationships. Emails, files, and documents Tweets, blogs, and social media contents Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam pellentesque imperdiet pretium. Quisque ac augue sit amet odio vestibulum SENTIMENTS porta id ut nisi. Maecenas nibh nibh, vestibulum at laoreet non, dignissim ac urna. Aenean nec mi est. Maecenas vitae lectus leo. ENTITIES Mauris auctor, magna et rhoncus bibendum, urna mauris tempor ante, id bibendum turpis ligula a massa. Aliquam lobortis aliquet augue, nec blandit diam RELATIONSHIPS auctor eget. Nunc congue massa vitae est ultricies feugiat in vitae enim. Curabitur semper tellus eu nulla blandit a rutrum diam faucibus. Aliquam erat volutpat. Donec euismod hendrerit nulla, vitae molestie enim vehicula vitae. Donec nec PATTERNS ligula vel dui viverra mattis. METADATA Cras tristique leo in lorem pharetra luctus. Phasellus in interdum tortor. Pellentesque erat risus, scelerisque vel lobortis ac, mollis vel nulla. In hac habitasse platea dictumst. Copyright 2014 Deloitte Development LLC. All rights reserved. 18

Enterprise View Time Business Analytics Maturity Model Developing a conceptual road map Level I Level II Level III Level IV Frequent Continuous Mature Analytics Ad-Hoc Periodic Enterprise Function Network, Text, Geospatial Tools Advanced Analytics Department Predictive Analytics Software Statistical Models Team Databases Rules-Based Queries Key Capabilities Tools and Technologies Spreadsheets Curren t State Random Samples Analytics Copyright 2014 Deloitte Development LLC. All rights reserved. 20

Cognitive Computing Cognitive computing is inspired by the way the human brain processes information, draws conclusions, and codifies instincts and experience. Cognitive computing auto-detects the similarity of new things to things previously seen or spots the anomalies. Detecting fraud by identifying relevant patterns Legal document review Claims management Spam filters Cognitive computing is rapidly becoming an indispensable technology to offload timeconsuming and repetitive tasks to intelligent software with highly refined and consistent results. Speech Recognition Natural Language Processing Machine Learning Algorithms Cognitive Computing Image & Pattern Recognition Artificial Intelligence Data Mining Deloitte estimates the U.S. cognitive computing market will expand in five years from the current $1 billion to $50 billion in 2018. Source: http://www.cnbc.com/id/102069981#. Copyright 2014 Deloitte Development LLC. All rights reserved. 21

Cloud Storage of Data Utilizing remote, networked servers to store, access, and analyze large volumes of data and services. The availability and accessibility of these services allow for flexible storage for a variety of data mediums, including photo and video. Serving as a critical component of data storage for fraud analysis Agile content, including video surveillance Cost-scalable Location independence, allowing for remote viewing Low maintenance and optimized performance Copyright 2014 Deloitte Development LLC. All rights reserved. 22

Big Data and Parallel Processing Utilizing storage and large-scale processing of data on clusters to process tremendous volumes efficiently. Available through both commercial and open-source options. Allowing dynamic review of a large volume and variety of data Variety encompasses different media types (structured and unstructured) Allows near real-time analysis Copyright 2014 Deloitte Development LLC. All rights reserved. 23

EFM: A New Approach to Fraud Prevention Continuously and comprehensively reviewing risks of fraud Enterprise Fraud and Misuse Management (EFM) provides a continuous monitoring solution to mitigate both the known and the emerging patterns of fraud, waste and abuse. Proactively screen data to identify suspicious patterns or anomalies on a real-time basis Remedy issue before it causes damage Look inside and outside the organization Move away from data silos Structured and unstructured Big Data Terabytes, petabytes, and beyond Time Enterprise View EFM Analytics Data Profile Copyright 2014 Deloitte Development LLC. All rights reserved. 24

Scenario Exploiting humanitarian funds and efforts Background: After first Gulf War, UN developed a program to allow Iraq to sell oil on the world market in exchange for food, medicine, and other humanitarian needs. Goods exchanged to prevent Iraq from boosting its military capabilities. Indications surface of corruption and kickbacks. Goal: Identify extent of and major players involved in the misappropriated funds. Copyright 2014 Deloitte Development LLC. All rights reserved. 26

UN Oil-For-Food Investigation Collecting and Ingesting Transactional Data from Various Data Sources Humanitarian Goods Oil UN UN Iraq Iraq Shipping Agents Oil End Users Financing Institutions Financing Institutions Humanitarian Goods Companies Traders Copyright 2014 Deloitte Development LLC. All rights reserved. 27

UN Oil-For-Food Investigation Fusing Structured and Unstructured Data Data in varying formats and from various sources are processed, fused, and superimposed to enable a more contextual interpretation and analysis. Structured Data Extract Transform Load Derive temporal and entity keys CENTRAL DATAMART ID Date Name Account Number GL Amount 1001 12282005 Peter Smith 0001020100204010 AC 199924.32 1002 05311999 Mike Trombone 3002001002010034 AF 943.55 1003 09112000 Sally Thomas 0010201010200230 EH 398920292.32 1004 11012005 Nigel Thompson 0029387466189388 EW 826563.45 1005 08101978 Abe McNamara 2881002938272998 EW 185726.39 1006 12282005 Peter Smith 0001020100204010 AC 199924.32 1007 05311999 Mike Trombone 3002001002010034 AF 943.55 1008 09112000 Sally Thomas 0010201010200230 EH 398920292.32 1009 11012005 Nigel Thompson 0029387466189388 EW 826563.45 1010 08101978 Abe McNamara 2881002938272998 EW 185726.39 1001 12282005 Peter Smith 0001020100204010 AC 199924.32 1002 05311999 Mike Trombone 3002001002010034 AF 943.55 1003 09112000 Sally Thomas 0010201010200230 EH 398920292.32 1004 11012005 Nigel Thompson 0029387466189388 EW 826563.45 1005 08101978 Abe McNamara 2881002938272998 EW 185726.39 1001 12282005 Peter Smith 0001020100204010 AC 199924.32 1002 05311999 Mike Trombone 3002001002010034 AF 943.55 1003 09112000 Sally Thomas 0010201010200230 EH 398920292.32 1004 11012005 Nigel Thompson 0029387466189388 EW 826563.45 1005 08101978 Abe McNamara 2881002938272998 EW 185726.39 1006 05021980 Addison Joyce 4729819938200028 YH 8666762202.39 Unstructured Data Copyright 2014 Deloitte Development LLC. All rights reserved. 28

UN Oil-For-Food Investigation Result: A Comprehensive View of Financial Activities Example: Reconstructed Humanitarian Transaction from Various Data Sources UN Iraq Bank Company Contract holder Company Front Company Contract number Contract agreeing to pay illegal fees Contract value Company & Front Company 1024022 W/29/M-52 LC 206745 Y Company & Front Company 1024022 & W/29/M-52 $11,000,000 $11,000,000 $11,000,000 $11,000,000 Company agent Company & Front Company W/29/M-52 Transportation agent Front Company W/29/M-52 Payment After sales service fee Inland transportation fee Tender fee $10,500,000 $10,500,000 $10,500,000 $1,000,000 $900,000 $900,000 $400,000 $300,000 $300,000 $300,000 $200,000 $200,000 $200,000 Bank fee $20,000 $20,000 Copyright 2014 Deloitte Development LLC. All rights reserved. 29

US$/Metric Ton UN Oil-For-Food Investigation Result: Quantifying the Impact Understanding Overpricing Related to Actual Costs 350 300 250 200 Projected expenditures differ from actual costs in later years 150 100 50 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Bi-Annual Phases Expected CFFP Market Actual OFFP Cost for Food Program (CFFP) versus Actual Oil for Food Program Copyright 2014 Deloitte Development LLC. All rights reserved. 30

Global Energy Company Fraud, Waste, and Abuse Scenario CRISP-DM Methodology Business and Data Understanding Data Preparation Modeling Evaluation Deployment Copyright 2014 Deloitte Development LLC. All rights reserved. 31

Scenario Identifying global supplier fraud Background: An energy and resources company operates all over the world in remote locations. Supply chain logistics are complex, buying volume is high, and new accounting systems had recently been implemented. The company had discovered one of their supply purchasers has been in collusion with vendors and was receiving kickbacks in exchange for overpaying and overbuying mechanical goods. The company is concerned that other instances of supplier fraud are occurring. Goal: Evaluate the potential effectiveness of a proactive approach for identifying fraud, waste and abuse by identifying the necessary pre-work to create models, work to generate predictive models, and post-work to improve model efficiency. Copyright 2014 Deloitte Development LLC. All rights reserved. 32

Actual CRISP-DM Approach From understanding through deployment Cross-Industry Standard Process for Data Mining (CRISP-DM) Stepwise Phases DB Materials Master Requisitions Analytics to identify known fraud? Similar cases? Most reliable analytic technique? Identify potential fraud on an ongoing basis? Deployment DB Data capture points? Purchase Orders Merge and cleanse data to establish reliable records to analyze? Analytics to identify unknown fraud? Modeling Evaluation Yes Predicted No Key business processes? Vulnerabilities? Past fraud? Data storage and formats? Data Understanding Data Preparation Yes 247 17 No 32 13,582 Business Understanding FAMILIARIZE ANALYZE OPERATIONALIZE Copyright 2014 Deloitte Development LLC. All rights reserved. 33

Business and Data Understanding People Process Data Subject Questions Answers People Data Who are the subject matter experts in the procurement process? Who are the key role players in the supply chain? When is the data captured in the process and where is it stored? What are the major procurement tables and how are they related? Global Supply Chain Directors, Inventory Controllers, etc. Requestors, Inventory Controllers, Buyers, Approvers, Suppliers/Vendors SAP captures data throughout the procurement process SAP tables form the base for Purchase Order Information Artifact 1: Business Process Flow Artifact 2: Data Architecture Copyright 2014 Deloitte Development LLC. All rights reserved. 34

Business and Data Understanding (continued) Fraud fingerprints Analyzing Fraud Fingerprint Characteristics Price Increases Significant increases in Material Unit Price Split Requisitions Splitting Purchase Requisitions into multiple Orders Same Day Orders Multiple orders for a material on the same day Skirting Approval Purchase Order Amounts just below approval thresholds Copyright 2014 Deloitte Development LLC. All rights reserved. 35

Our Approach: Decision Tree Applying Rule-Induction machine-learning technique to develop probabilistic outcomes and projections on data sets Challenge Identify suspicious purchase orders that do not violate traditional fraud tests Technique Tools Decision Tree model was built using SPSS Modeler Visualization Utilize supervised technique of rule-induction to identify known and hidden patterns Labeled cases generated by evaluated business rule transactions are used to train the decision tree to identify different types of suspicious transactions Handle missing data as well Reason for Using Method can see beyond the human eye and significantly increase model performance Outcomes Dramatic increase in model accuracy compared to rules model Significantly fewer transactions to be evaluated manually Supervised modeling uncovers hidden pattern Copyright 2014 Deloitte Development LLC. All rights reserved. 36

Our Approach: Anomaly Detection Identification of items, events or observations which do not conform to an expected pattern or other items in a dataset Challenge Identify suspicious purchase orders that do not violate traditional fraud tests Technique Tools Anomaly Clustering conducted using SPSS Modeler Visualization Cluster observations into peer groups Identify observations which are statistically different from observations like itself Use distance metrics to calculate and rank the degree of anomalous activity an observation presents Reason for Using No labeled cases of suspicious activity available Outcomes Observations deviate from the norm suggest they are statistically anomalous Identified emerging pattern of purchase order amounts outside of the expected peer group Copyright 2014 Deloitte Development LLC. All rights reserved. 37

Evaluation and Deployment Putting the results into action Actual Confusion Matrix Predicted Yes No Yes 200 72 No 95 1,120 The above matrix shows that the modeling is closely predicting the suspiciousness of orders at 88.7% True Positive rate = 74% False Positive rate = 8% Is this an acceptable performance? If Yes, than move on to deploy model If No, return to Modeling phase to enhance modeling performance Monitoring Options Once a model is accepted it can be deployed Options for deploying a model Ad hoc Frequent Continuous Ad hoc is the cheapest option, but also the least effective. Frequent requires a part time effort and is a good option for companies that do not want to overspend for a solution Continuous monitoring may benefit from a full-time team to leverage advanced tools on an ongoing basis for higher levels of fraud detection and prevention. Copyright 2014 Deloitte Development LLC. All rights reserved. 38

The Role of Analytics in Regulation and Litigation Communication and translation are paramount experts are increasingly utilizing advanced (and legally defensible) sampling and predictive modeling and coding techniques to limit the onerous effort that a full-scale review of documents and data entails. Courts are more likely to accept these newer approaches to the extent that experts are able to translate complex statistical, accounting, financial, and sometimes abstract economic concepts to judges and juries in ways that are compelling and clearly understandable to the layman. - Kennedy Consulting and Research Advisory Report (2013) Copyright 2014 Deloitte Development LLC. All rights reserved. 39

"This presentation contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering business, financial, investment, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright 2014 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited