SECRETS, CONSPIRACIES AND HIDDEN PATTERNS: Detecting and Combatting Fraud in the Public Sector
Kansas GFOA Fall ConferenceOctober 11, 2017
5 TOP FRAUD TRENDS
2 // experience clarity
#1 – HIGH COST OF FRAUD
• 5% of revenue lost to fraud and abuse each year• Cost of external assistance with investigation for insurance or
criminal purposes– Lawyers– Forensic accountant
• Higher insurance costs in following year(s)
HIGH COST OF FRAUD
• Non-monetary loss can be more damaging than the actual monetary loss– Loss of reputation
• Public assumptions– Loss of employee morale– Loss of productivity due to internal investigation
#2 - 2ND MOST TARGETED INDUSTRY
Median loss for public sector entities: $133,000
#3 - RECOVERING FUNDS IS THE EXCEPTION• In 58.1% of the reported frauds, there was NO recovery• Money not in interest bearing bank account, often gambled
away– The one time it was….
• For the 12% of reported frauds in which there was full recovery, the source of recovery was usually an insurance policy
INSIGHTS ON FIDELITY BONDS
• Likely only chance at meaningful recovery• Civil litigation to recover losses often fruitless• Watch your internal controls if you expect your insurance to
pay…
#4 – MOST FRAUDSTERS HAVE NO PRIOR CRIMINAL HISTORY
• 88.3% of fraudster not previously charged or convicted– However, only about 40% of frauds are ever reported due to
perceived reputational risk– Background checks and reference checks are still important
• Most fraudsters do not take a job with intent to commit fraud, it is often a crime of opportunity
#5 – TIPS ARE THE TOP METHOD OF DETECTION
• For organizations with hotlines, 47.3% of frauds were detected by tips
• Compared to only 28.2% of frauds for organizations without a hotline
4th most prevalent method is BY ACCIDENT
WHITE COLLAR FRAUD CASE STUDY
10 // experience clarity
OCCUPATIONAL FRAUD IN PUBLIC SECTOR
83%; $125,00035%; 200,000 10%; $975,000
STATISTICS SHOW…• Top 3 occupational frauds in public sector
1. Corruption2. Billing3. Expenses Reimbursement4. Payroll
CORRUPTION
CORRUPTION
• An employee misuses his or her influence in a business transaction in a way that violates his or her duty to the employer in order to gain a direct or indirect benefit
• In most businesses, the most common form of corruption is the payment of kickbacks related to purchases
RED FLAGS FOR CORRUPTION
• Off-book fraud, so very hard to detect– Payments often do not go through the organization’s accounting records– Payments often paid in cash
• Look for “behavioral” red flags– Rapidly increasing purchases from one vendor– Excessive purchases of goods and services– Too close of a relationship with a vendor
• Compare order quantity to optimal reorder quantity• Compare purchase volumes/prices from like vendors• Compare quantities ordered and received• Check for inferior goods (# of returns by vendor)• Text analytics (analyze the suspected fraudster’s email….)
DATA ANALYTICS FOR CORRUPTION
BILLING SCHEMES
• Fraudster creates false support for a fraudulent purchase, causing the organization to pay for goods or services that are nonexistent, overpriced or unnecessary– Invoicing via shell company (fictitious vendor)– Invoicing via an existing vendor
• False invoicing for non-accomplice vendors• Pay-and-return schemes
– Personal purchases with organization’s funds
BILLING SCHEMES
• Vendor attribute analysis• Trending of vendor activity• Identification of “high risk” payments
RED FLAGS/DATA ANALYTICS FOR BILLING SCHEMES
VENDOR TRENDING ANALYSISVendor: JLM Plumbing Authorized: Janice L. McPhearson
Test phase
Acceleration as confidence
builds
Getting Greedy
TIME SERIES ANALYSISPossible fictitious vendor
Possible abuse of dormant legitimate vendor
Possible abuse of active legitimate vendor
EXPENSE REIMBURSEMENTS & PURCHASING CARDS
EXPENSE REIMBURSEMENT/P-CARDS• Any scheme in which an employee makes a claim for reimbursement or
fictitious or inflated business expenses– Employee files fraudulent expense report, claiming personal travel,
nonexistent meals, etc. – Employee purchases personal items and submits and invoice to
employer for payment– Employee purchases goods/services for inappropriate uses and charges
to employer for payment
RED FLAGS FOR EXPENSE REIMBURSEMENT/P-CARDS SCHEMES
• Expenses exceed what was budgeted or prior years totals
• Expenses claimed on days employee did not work• Purchases that do not appear to be business related• Minimal or non existent support for requests• Altered receipts• Unusual or excessive reimbursements to one employee• Submitted receipts are consecutively numbered• Expenses in round dollar amounts• Expenses just below receipt submission threshold
• Identify transactions on weekends, holidays or while employee is on vacation
• Identify split transactions in which a large purchase is split into smaller transactions just under approval threshold
• Identify unusually high or frequent expense reimbursement/p-card usage
• Identify expenses in round dollar amounts
DATA ANALYTICS FOR EXPENSE REIMBURSEMENT/P-CARD SCHEMES
FORENSIC DATA MINING
MOST EFFECTIVE ANTI-FRAUD CONTROL
First Place: Proactive Data
Monitoring/Analysis
Last Place: External Audit
WHY EMPLOY FORENSIC DATA MINING TECHNIQUES?• “Big Data” – too much data for manual analysis• Data mining techniques are efficient and effective• Sampling does not reveal patterns and trends• System weaknesses and gaps in internal controls lead to fraud - data
analytics helps finds them• Suspicious activity is a 96.5% match to normal
• Greed, arrogance• Impatience• Habits and tendencies• Territorial comfort zone• Laziness or procrastination
THE 3.5%...HUMAN BEHAVIOR
BENEFITS OF ANALYZING POPULATION VS SAMPLE• The benefit of testing all transactions prevents excuses such as “it was a
mistake, repeated over time”, “computer glitch”, “training issue”, “new software”
• Look at entire dataset to help determine when something irregular began• Most fraud starts small. Small transactions are not excluded
THE GOAL OF FORENSIC DATA MINING
• The aim of forensic data mining is to:– Build a profile of the characteristics of fraudulent behavior
• Looking for patterns
– Identify transaction(s) that meet the historical characteristics of fraud so they can be investigated
• Answer questions through use of analytical software– As simple as Excel
• Filter • Sort
– As complex as you want to make it• ACL• IDEA• Sequel• Machine learning• AI
COMMON DATA ANALYTICS TOOLS
PATTERN DETECTION• Numeric Patterns – fictitious invoice numbers• Time Patterns – Transactions occurring too regularly, activity at unusual
times• Name Patterns – Similar and altered names and addresses• Geographic Patterns – Proximity relationships between apparently
unrelated entities• Relationship Patterns – Degrees of separation• Textual Patterns – Detection of “tone” rather than words
COMMON DATA MINING TARGET AREAS• Vendors and accounts payable (all industries)• Employees and payroll (all industries)• Benefit payments (government entities)• Entitlement programs (government entities)• Revenue collections (government entities)• Tax collections (government entities)
DATA ANALYTICS – COMMON CHALLENGES• Existence of useful data• Data quality• Ownership of data• Organizational culture• Lack of personnel experienced in the use of advanced data analytic tools
TEXT ANALYTICS FAMILY OF FUNCTIONS
TOPIC EXTRACTIONIdentifies overarching topics prior to reading any emailDetermines whose email is read firstAnd, whose is not read at all
TOPIC MAPS AND WORD CLOUDSThe tale of two finance departments from emails between officers and staff….
TONE DETECTIONIdentifies emotional tone of conversations prior to reading any emailUses POS tagging
Adjectives, adverbs, nouns, verbs
Priority is tense or nervous tonesDetermines whose email is read firstGives us only the emails of interest so we do not have to read them all
TONE DETECTION POINTS• Operates under premise that communications have an inherent tone
expressed through adjectives, idioms, even emoticons• Adapted from marketing concept of “sentiment analysis” to flag emails
responsive to a certain tone• Powerful because it does not require any initial starting point or theory
OTHER PUBLIC SECTOR DATA MINING OPPORTUNITIES
DATA MINING FOR PUBLIC SECTOR• How else can government organizations use analytics to prevent and detect
fraud? – By joining various data sets across the organization to find correlations,
and then performing• Sorting• Filtering• Grouping
INSURANCE RELATED ANALYTICS• Match employee workers compensation claims to work schedules, liability
claims, previous workers compensation claims• Compare employee spouses/dependents covered on health insurance to
beneficiaries in retirement system data• Match insured employees to payroll files
BUSINESS LICENSE RELATED ANALYTICS• Match the local business license file with the retail license file and sales
data from the State Department of Revenue• Request accounts payable files from other public entities by FOIA and
match to business license file
PROPERTY TAX RELATED ANALYTICS• Map property tax collections in GIS to look for irregularities• Up to date aerial photography is useful for finding new building
construction or additions not permitted• Match building permit files to property tax assessment increases• Match property tax amounts against utility usage records
UTILITY RELATED ANALYTICS• Match property tax map numbers to storm water charges• Match property tax file locations and GIS data to utility billing data• Match irregular residential electric usage to police crime records
BADGE ACCESS RELATED ANALYTICS
• Match transaction data to building access data– Were transactions performed after normal operating hours? On
weekends or holidays?– Who enters the building afterhours?– Who works late?
PAYROLL RELATED ANALYTICS
• Compare W-2 totals to Human Resources files• Sort by amount paid –trend over years• Calculate pay increase percentages for employees over time• Direct deposit only - check data for duplicate direct deposit checking
account numbers for more than one employee• Look for employees that did not sign up for employer-paid benefits
PUBLIC SECTOR DATA MINING EXAMPLES
US HEALTHCARE FINANCE ADMINISTRATIONUS Health Care Finance Administration needed to isolate the likely causes of payment error by developing a profile of acceptable billing practices and used this information to focus their auditing effort• Used audited discharge records, built profiles of appropriate decisions such
as diagnosis coding and admission• Matched new cases• Cases that did not match were audited• Detected past incorrect payments resulting in significant recovery of
funding lost to payment errors– Indiana Center for Database Systems
US DEFENSE FINANCE & ACCOUNTING SERVICE US Defense Finance & Accounting Service needed to find fraud in millions of Department of Defense transactions and identified suspicious cases to focus investigations• Built detection models based on known fraud patterns• Analyzed all transactions and scored based on similarity to these known
patterns• High scoring transactions were flagged for investigation• Identified over 1,200 payments for further investigation• Integrated the detection process
– Indiana Center for Database Systems
WASHINGTON STATE DEPARTMENT OF REVENUEWashington State Department of Revenue needed to detect erroneous tax returns and focused audit investigations on cases with the highest likely adjustments• Utilized previously audited returns• Modeled adjustment per auditor hour based on return information• Used model to score returns for highest potential adjustments• Maximized auditors’ time by focusing on cases likely to yield the highest
return– Indiana Center for Database Systems
US GOVERNMENT ACCOUNTABILITY OFFICE
Federal employees P-Card program had grown from under $1 billion in 1994 to over $19 billion in 2009• Took samples to test effectiveness of controls• Data mined using criteria such as prohibited goods or services or items
likely to be for personal use • Estimated that nearly 41% of all federal purchase card transactions from
July 1, 2005, through June 30, 2006, failed basic internal control checks • Found that one Federal employee embezzled over $643,000 and that P-
Cards were used to pay for gambling, car and mortgage payments, retail purchases, and online dating services– US Government Accountability Office
US GOVERNMENT ACCOUNTABILITY OFFICEIndividuals posed as disaster victims of Hurricanes Katrina and Rita in order to obtain FEMA payments• Used FEMA’s disaster assistance database to draw a statistical sample for
fraud/improper payments• Identified individuals with multiple registrations and duplicate payments • Compared payments to federal prison databases• Data mined for inappropriate uses of debit cards• Revealed over $1 billion in fraud or improper payments, including duplicate
payments and payments to ineligible or fictitious individuals– US Government Accountability Office
IMPLEMENTING A DATA MINING PROGRAM
DATA ANALYTICS – A GUIDE TO APPLICATION1. Build a profile of potential risks
• What are your highest risk business processes?• What frauds could occur in those processes?• What would red flags for fraud look like in those business processes?
2. Identify data available to help test for potential fraud• Identify and define specific fraud risks to be tested• For each risk, identify and define data requirements, data access
processes and analysis logic
57
DATA ANALYTICS – A GUIDE TO APPLICATION
3. Develop procedures & analyze data• Start with relatively simple tests and then add more complex analysis
building a library of specific tests• This is not testing a sample, it is testing the POPULATION
4. Make analysis results understandable• Try to answer one question at a time
58
DATA ANALYTICS – A GUIDE TO APPLICATION
5. Does analysis result address the identified fraud risk?• If not, go back to step #3 and refine• Are there additional tests that are needed
6. Perform investigation of anomalies or unexpected patterns, as appropriate
59
POTENTIAL ISSUES TO LOOK FOR• Duplicate payments of invoices• Fictitious vendors• Matches between employees and vendors• Improper approval processes• Circumvention of approval process• Gaps in numbering
POTENTIAL ISSUES TO LOOK FOR• Paying for items never received• Paying a legitimate vendor for personal items• Payroll –
– Fictitious overtime– Fictitious employees– Unauthorized raises– Terminated employees still being paid or receiving benefits (such as
insurance)
DATA USED IN ANALYSES• Vendor master lists/employee master lists• Accounts payable detail records/payroll detail records• Invoices/purchase orders• Checks and ACH transactions• Transactions by amount, by vendor, by week, by month, by year• GL detail records• Email/text/Internet browser history/recovered deleted files• Just about anything you can think of
INTERNAL INVESTIGATION TACTICS
63 // experience clarity
BEFORE YOU DO ANYTHING ELSE…– Consider compliance with legal obligations to avoid liability
• Consult with internal/external counsel about employment/privacy laws– Choose the investigators
– Often an individual within HR or Legal Department• Need to have relevant technical skills for the subject of the investigation
– Consider any existing relationships• Need to avoid preconceived ideas or opinions
• Consider hiring outside assistance, if necessary– Forensic accountants– External legal counsel– Best to bring in early in the process if you are going to use them
ELEMENTS OF A THOROUGH INVESTIGATION
• The elements of a thorough investigation include:– Gathering key evidence– Conducting in-depth interviews– Performing appropriate analytical procedures– Documenting the findings– Tracking steps taken along the way
GATHERING KEY EVIDENCE• Gather relevant information and evidence
– Financial documents • Accounting software
–Electronic export so analysis does not change actual information
–Always check the audit log• Bank statements• Leases• Contracts
GATHERING KEY EVIDENCE– Pull personnel files – both HR and Department
• Review to identify personal relationships within company
–Who have they reported to–Who have they worked with
• Performance evaluations and reprimands• Changes in job responsibilities• Credit reports – can be VERY informative
GATHERING KEY EVIDENCE
• Gather relevant information and evidence – Check https// pacer.uscourts.gov for
bankruptcies and federal matters (subscription)– Check www.uscourts.mo.gov/casenet for state
lawsuits (in Missouri) and accesskansas.org/countycourts (in Kansas) (subscription)
GATHERING KEY EVIDENCE
• Consider the need to have company-owned computers and cell phones forensically reviewed– DO NOT TURN THEM ON!!!
• Compile documentary evidence and review it for consistency with the allegations
PERFORMING APPROPRIATE ANALYTICAL PROCEDURES• Commonly performed procedures (not exhaustive list)
– Review accounting software audit log for deletions/changes/interest adjustments, etc.
– Review bank statements• Compare payee name on checks to vendor name in accounting software• Pay attention to round dollar amounts• Look for electronic payments directly out of the bank account for target’s
credit cards, utilities, or other obligations• Look into transfers to other bank accounts to determine where the money
was going• Look for out of sequence check numbers
PERFORMING APPROPRIATE ANALYTICAL PROCEDURES– Compare vendor master file and employee master file for common
attributes– Trend vendor payments to determine unexpected patterns– Research questionable vendors on Internet, Secretary of State
websites– Perform Google Earth review of questionable vendor addresses
PERFORMING APPROPRIATE ANALYTICAL PROCEDURES• If using computer or digital forensics
– Have company-owned computer/cell phone reviewed for• Deleted files of interest• Browser history (visited websites)
– Gaming sites– Competitor sites, etc.
• Email– To/from– Date– Keywords
• Text• Chat
CONDUCTING IN-DEPTH INTERVIEWS• Preferably performed by someone trained in forensic interviewing
techniques• Prepare interview questions based on allegations/issues and review of
documents and digital forensic results– Include questions to which you already know the answers in order to gauge
truthfulness• You will know the answers based on the information reviewed and analytical
procedures already performed– Ask people the same questions to see if you get consistent answers
• Determine the order of interviews (bull’s eye)– Complainant (if there is one)– Other potential witnesses or others that might have knowledge– Target
CONDUCTING IN-DEPTH INTERVIEWS• Interviews should take place in a discreet, neutral location
– Conference room versus an office• Try not to have a table between you and the target, so you can observe their
body language• Sit them closest to the door• Have a witness or record the interview (or both)
• Tone of the interview– Professional, try to keep your emotions out of it– Do not be confrontational or try to intimidate the target
• Go for empathetic• If nearing a confession, press on in a non-threatening manner• Silence can be your friend
CONDUCTING IN-DEPTH INTERVIEWS• High-level questions for complainant (if known) and
witnesses:– Who, what, where, when and why– How did the events affect you personally?– Did the conduct occur at other times that you were aware of?– Can you describe what you saw/heard?– Are there others who witnessed the event?– Are you aware of any other relevant information or documentation?– Is there anything I did not ask you that I should have?
CONDUCTING IN-DEPTH INTERVIEWS• High-level questions for target:
– What is your response to the allegations?– Tell me in your own words what happened
• Who, what, where, when and why– You have stated that the allegations are untrue. What are some reasons someone
would make the allegations? What or who else could explain the situation?– You have stated that the allegations are true. What prompted your actions? When
did this activity start? What accounts, clients, vendors are impacted? How much money do you think you took? Is there any money left? Would you be willing to participate in the investigation?
– Is there anything I did not ask you that I should have?– Ask for a signed written statement describing what they told you
• Read it and ask for any necessary clarifications or additional information
CONDUCTING IN-DEPTH INTERVIEWS
• It may be necessary to obtain corroborating evidence to determine the credibility of the witnesses and their statements
• Inform all witness that you may need to speak to them again and get them to agree to it
• Interviewees may ask for confidentiality– Cannot guarantee anonymity, but management
will do their best to keep the source of information confidential
DOCUMENTING THE FINDINGS• Final report
– Who is it being written for?• Internal management/BOD
– Will want to clearly identify missing or breached internal controls and recommended remediation
• Insurance filing– What type of information/support will the insurance company require in order to pay a
claim?» Ask your insurance company
– Include any internal controls that you had in place that were breached, if appropriate
• Law enforcement/prosecution– Make sure your exhibits are very clear and concise– Provide copies of all relevant underlying evidence
DOCUMENTING THE FINDINGS• Final report
– Summary of how the issue came to light– Issues that were investigated– List of documentation reviewed and analytical procedures performed– List of witnesses– Summary of information from any interviews– Findings for each individual allegation including amount of loss, if determined
• How was fraud perpetrated• How was fraud concealed
– Remedial actions taken during the investigation– Conclusions and recommendations
TRACKING STEPS TAKEN ALONG THE WAY• Any investigation may end up in eventual litigation (2-4 years out)• Have a scope of procedures that details
– What procedures you performed – What information you performed your procedures on– What time periods of information you reviewed– Who you interviewed (keep all notes taken or information given to you)– Update as your procedures expand
• Have an organizational scheme for your workpapers– Consider using a naming or numbering convention to keep track of versions
during the investigation– Consider a “report binder” and annotate the final report to the underlying
documentation and support
COMMON INVESTIGATIVE PITFALLS• Lack of timeliness
– Delay can allow fraud to grow– Perceived lack of attention can give impression management is indifferent or condones
activity
• Poor interviewing techniques– Lack of training– Lack of preparation
• Lack of expertise in issue under investigation– HR should probably not lead accounting fraud investigations
• Management interference– Bias, whether intentional or unintentional, could sway outcome
• Choosing the wrong investigators– Be careful of existing relationships
CYBERSECURITY
82 // experience clarity
LATEST BREACH
INTERESTING STATISTICS• Timing
– In 93% of breaches, it took attackers minutes or less to compromise systems (Adobe products easiest to hack; Mozilla the most difficult)
– In 83% of cases, it took weeks or more to discover an incident occurred– Attackers take easiest route (63% leveraged weak, default or stolen
passwords)– 95% of breaches were made possible by nine patterns including poor IT
support processes, employee error and insider/privilege misuse of access
• Companies go back to basics once breached– 53% training and awareness– 49% additional manual controls– 52% expand use of encryption– 19% security certification or audit
Source: Verizon Data Breach Report, 2016
• Ransomware– FBI estimates more than 4,000 attacks a day– End users are the biggest risk factor
• Open infected emails• Click on links to rouge websites• Tricked into allowing fake tech companies access to their computers due to
alarming pop-ups
COMMON CYBERFRAUD ISSUES
QUESTION
• How many of your organizations have an Incident Response Plan for cyber fraud?
RANSOMWARE – INCIDENT RESPONSE
• Detect and conduct initial analysis of ransomware attack• Contain its impact and propagation• Eradicate instances of ransomware; remediate vulnerabilities that
originally permitted the attack and propagation• Recover by restoring data lost during the attack and returning to “business
as usual”• Conduct post-incident analysis to address any regulatory and/or
contractual requirements (including breach notification)• Identify “lessons learned” regarding incident response effectiveness
POST-BREACH: LESSONS LEARNED & ASSESSING ADDITIONAL VULNERABILITIES
• Take stock of the breach results– What did we do correctly?– What improvements need to be made?
• Identify additional risks that may exist & have not been addressed
POST-BREACH: LESSONS LEARNED & ASSESSING ADDITIONAL VULNERABILITIES
• Incident plan should contain steps necessary to contain the breach & conduct a preliminary internal assessment of the scope of the breach, considering the following– Isolating the affected system to prevent further release– Reviewing/activating auditing software– Preserving pertinent system logs– Making back-up copies of altered files to be kept secure– Identifying systems that connect to the affected system– Retaining an external forensic expert to assist with the investigation– Documenting conversations with law enforcement & steps taken to restore the integrity
of the system
BUSINESS EMAIL COMPROMISE SCHEME • A fraudster may gain access to (compromise) the email account of a
commercial customer’s employee and send fraudulent wire transfer instructions directly to the financial institution.
• Or, the fraudster may compromise or “spoof” the email of the commercial customer’s CEO, CFO or a long-time vendor and send an email to the commercial customer’s accounting personnel instructing them to institute a wire transfer to a new partner or vendor or to a new bank account for an existing partner or vendor.
• The email seems perfectly normal in format and the language is similar, if not identical, to previous emails of the same type. So, the financial institution sends the wire or the corporate accounting employee instructs the financial institution to send the wire.
FINCEN ADVISORY FIN-2016-A003• Emailed transaction instructions containing different vernacular
or terminology, timing and amounts than previously verified and authenticated transaction instructions.
• Transaction instructions originating from an email account closely resembling a known customer’s email account. – Pay attention to small variances like @abc.com versus
@abc.net.• Emailed transaction instructions direct payment to a previous
beneficiary, but the account information has changed.
FINCEN ADVISORY FIN-2016-A003• Emailed transaction instructions direct the wire transfer to a foreign bank
account.• Emailed transaction instructions for significant wire amounts to
beneficiaries which have not previously received a wire payment from that commercial customer.
• Emailed transaction instructions which signify the transaction is “secret”, “confidential” or “urgent”.
• Emailed transaction instructions which leave the financial institution ( or paying organization) limited time or opportunity to confirm the authenticity of the request.
FOR MORE INFORMATION
THANK YOU!Shauna Woody-CoussensManaging Director | BKD, LLPNorth Region Practice Leader – Forensic Accounting & Litigation Support
E: [email protected]: http://bkd.com/forensicsP: 816-701-0250