How to Use Data Analysis to Find Fraud

1
How to Use Data Analysis to Find Fraud
October 27, 2009 Office of the State Comptroller
ARMA Auditors
2
Agenda

• New Audit Approach
• Getting Started via Data Analysis
• Establish Automatic Steps
• Detect Outliers and Anomalies
• Test Fraud Schemes
• Success Stories

3
New Audit Approach
4
ARMA

• Focus on outcome results
• Limited or no reliance on documents
• Begin audits by performing data analysis using
  sophisticated software tools
• Moved away from historical audit steps
• Majority of audit is completed before field work
• Specializes in fraud techniques and audit steps

5
Data Resources Tools

• Data Resources
• OSC Data Warehouse
• Payment Payroll Data
• OSC PARIS
• OSC Contract Mgt System
• OSC Inter Trac
• Accurint Lexis Nexis
• Dun Bradstreet
• Guide Star

• Tools
• EnCase
• ArcGIS Mapping
• Audit Command Language
• Clementine
• Google
• Social Pages

6
Why We Dont Trust Documents
Site to create Fake Invoices
http//expenseasteak.com
7
http//expenseasteak.com
Type In ANY Amount Click on Expense It
8
Instant Receipts
9
Getting Started via Data Analysis
10
Getting Started via Data Analysis
Take the time to thoroughly understand what you
are looking at and where it came from

• What is your raw data?
• What information is in each field?
• i.e. dates, addresses, currency etc.
• Which fields are required vs. optional?

11
Organize Data
Determine the best organization for your data

• Sort data based on your test and expected results
• i.e. by date order, by payee, by money
• Rearrange data for each subsequent test

• Never Keep Data in the Same Format

12
Finding Something from Nothing

• Test blank optional fields
• Fraudsters hate to make up more information than
  needed
• Steps
• Identify all optional fields
• Pull out transactions whose optional fields are
  blank
• Review these transactions first

13
Finding More Than You Should

• Test miscellaneous fields
• Should seldom be used
• Steps
• Within each misc. field
• Determine if TOO Much Money was Spent
• Determine if TOO Much Volume was submitted

14
Example of Misc Fields
4th highest amount.2nd highest volume of
payments
15
Establish Automatic Steps
16
Automatic Payment Steps
For Payments Audits, we always identify the
following

• of payments submitted during audit period
• Total amount spent during audit period
• Who got the most money
• What product/service was purchased the most

17
Automatic Payroll Steps
For Payroll Audits, we always identify the
following

• Total annual payroll
• of employees on payroll
• Highest earning employees
• Highest earning OT employees

18
Detect Outliers and Anomalies
19
Detect Outliers and Anomalies

• What would a Payment outlier look like?
• Payments directly under approval levels
• Whole dollar expenditures
• Payments to PO boxes
• Duplicate payments
• Vendors with partial names and initials (Shell
  Co)
• Unusual results from side-by-side comparisons
• Benford Law

20
Benford Law
21
Side by Side Comparisons
22
Detect Outliers and Anomalies

• What would a Payroll outlier look like?
• Same employee on several agency payrolls
• Several employees living at the same address
• Not enough or too much payroll deductions
• Extreme overtime earned

23
Testing Known Fraud SchemesWithout Documentation
24
Shell Companies

• Question
• Was a shell company established to move money out
  of the agency and into the hands of an individual
  running a fraud scheme?

25
Shell Companies
Attributes Several small dollar payments to
unknown payees.

• Steps
• Summarize on vendor ID or name
• Count of payments for each vendor

26
Shell Companies

83 Payments within a fiscal year

• No amount more than 1,000
• Payee Name includes initials

27
Favored Vendors

• Question
• Is an employee using their influence and position
  to provide their friends and families with state
  business?

28
Favored Vendors
Attributes A payee is among the top earning
payees for an agency.... And. it doesnt make
sense

• Steps
• Add total payments received by each payee
• Who are the top payees receiving the most
  payments from the agency?

29
Favored Vendors
30
Requires Competition

• Question
• Is an agency circumventing public bidding by
  split-ordering products/services?

31
Requires Competition
Attributes Vendor receives several open-market
payments within a calendar year totaling more
than the agencys discretionary level.

• Steps
• Separate out contract payments from population
• Summarize remaining payments by payee ID or name

32
Requires Competition
33 Payments received during calendar year in the
amount of 84,645.00.
33
Detect Travel Fraud

• Question
• Are travel reimbursements appropriate and is the
  employee in overnight travel status as outlined
  in the OSC travel manual?

34
Travel Data
Attributes Traveler is less than 35 miles from
home and work and submits for overnight travel
expenses.

• Steps
• Use ArcGIS mapping to show the distance from home
  and work to travel destination.
• If not available, use mapping services provided
  by internet search engines.

35
Mapping
We found 2 travel destinations that were less
than 35 miles from both work and home. shown
in Yellow Highlighted Boxes
36
Another Example of Mapping
Dolly Rosen Dental 900 Dental Procedures a
Day Patients from Across the State
37
Identify Relationships

• Question
• Does a personal relationship exist between
  employees and vendors or vendors and vendors
  which contributed to collusion?

38
Relationships
Attributes Relationships among those involved in
the procurement processes may lead to collusion.

• Steps
• Use ACCURINT to detect relationship
• If not available, use Google and social pages
• Use Payment data to identify addresses

39
Relationships Found in Accurint

• Between employee and vendor
• Vendor purchased a mustang from employee
• Same Owner
• Two businesses bidding on same state project is
  owned by same individual
• Contract winning vendor was related to losing
  bidder
• On the Same Street
• Owner of a business lives on the same street as
  employee and received in an increase in state
  business once employee was promoted

40
Misuse of State Computers

• Question
• Is an employee using their state computer to run
  a personal business and/or visit inappropriate
  sites?

41
Misuse State Computers
Attributes Employees activities will show
navigation to inappropriate sites or length of
time spent on non-state business.

• Steps
• Imaging or ghosting hard drives from agency
  computers and/or network.
• Use Encase to analyze hard drives to read files
  including e-mails.

42
Encase Internet Search
43
Encase E-Mail Search
44
Detect Up Coding

• Question
• Is a medical provider increasing their medical
  bill by charging for a procedure or office visit
  that is more complicated than the one actually
  performed and therefore receiving a higher
  reimbursement?

45
Detect Up Coding
Attributes Billing under expensive medical
codes than work actually performed.

• Steps
• Establish a model in Clementine
• If not available Identify like providers to
  compare
• Separate medical codes into low, medium and high
  costs
• Calculate percentages for each level of medical
  code submitted per provider to detect if any one
  provider stands out

46
Example of a Clementine Model
47
Detecting Up Coding
48
Success Stories