Detecting

& preventing
fraud with
data analytics
Table of contents
Detecting & preventing fraud with data analytics 1

Fraud is costing trillions 3

Data analysis tools are now critical 4

Why sampling is no longer good enough 7

Types of analysis testing 8

Progressing to continuous monitoring 10

Data analysis techniques 11

01  Benford’s Law 12

02  Trend analysis & time series analysis 13

03  Ratio analysis 14

04  Duplicate transactions 15

05  Even amounts 16

Steps to get your fraud program started 17

20 common analytics tests 18

2
Fraud is
costing trillions
Did you know that fraud is costing organizations $2.1 trillion globally
per year? 1 To help you put that enormous number into perspective,
that’s more than Brazil’s total GDP—the eighth largest world economy!

Here are some other astonishing numbers: The typical There’s no question that fraud schemes have become
2
amount of revenue lost to fraud is reported at 5%. That more sophisticated, and fraudsters are constantly finding
means the US healthcare sector (which sees annual new ways to manipulate technology to their advantage.
revenue of $3.5 trillion) is estimated to lose up to $175 Organizations and governments around the world are
billion every year, while the $1.2-trillion insurance heavily investing in technologies and resources to help
industry loses around $60 billion. stem the massive flow of lost revenue.

One of the most valuable technologies to fight fraud is advanced data analytics. Data
analytics software can identify the trends, patterns, anomalies, and exceptions within data
that reveal the digital “fingerprints” of fraudsters.

A recent global survey by PwC found that 44% of This eBook looks at how to implement a successful
respondents are planning to increase spending on fraud program, including key considerations and
fraud prevention and economic crime over the next two techniques for detecting fraud, and the types of tests
3
years. The report says that most of this money is going you can run, and gives a number of practical examples
toward more powerful technology and data analytics. you can apply across a range of business functions.

1 Deloitte, 2018, Fighting fraud with analytics: The future of investigations

2 Intel, 2017, Stay ahead of fraud with big data analytics
3 PwC, 2018, Global economic crime & fraud survey

3
Data analysis
tools are now
critical
The amount of data we produce worldwide is growing—and there’s no
sign of it slowing.

The International Data Corporation (IDC) defined three All together, these data creation points make up the
areas where this data is being created: Global Datasphere, which is expected to grow to a
4
whopping 175 Zettabytes (ZB) by 2025. To put that

01 The core (traditional and cloud datacenters). number into context, each day, internet users produce
2.5 quintillion bytes of data. It would take 400 days of
collecting data to reach one single ZB. And 70,000 days
02 The edge (enterprise-hardened infrastructure of internet surfing to reach 175 ZBs.
like cell towers and brand offices). So, the world’s data is exploding—and that includes
your own organization’s data—making it really hard to
03 The endpoints (PCs, smart phones, and internet uncover fraud indicators. Internal controls are, on their
of things (IoT) devices). own, not enough. (And employees are getting more
cunning when it comes to finding ways to get around
them.)

If you want to effectively verify and monitor internal

controls, you need to draw on multiple data sources,
analyze 100% of your transactions, and test them
against established policies and procedures, across
applications and IT structures.

4 IDC, 2018, The digitization of the world from edge to core

4
But with such huge volumes of data, manually reviewing all of it is super costly and time-consuming—and simply
impossible for large global organizations. However, with data analysis, you get a quick overview of your business
operations and can easily drill down into the details of specific areas. This makes examinations much faster, more
detailed, and more comprehensive than manual processes.

“Proactive data monitoring was associated

with 52% lower losses and frauds detected
in half the time.”
» Association of Certified Fraud Examiners,
2018 Report to the nations on occupational fraud and abuse

WITH THE RIGHT DATA ANALYSIS TECHNOLOGY, YOU CAN:

+  Automatically search 100% of your transactions for +  Strategically realign resources to focus detection
indicators of fraud. efforts on suspicious transactions.
+  Easily merge, normalize, and compare data from +  More accurately calculate the impacts of fraud.
different systems and sources. +  Significantly reduce sampling errors and improve
+  Quickly identify fraud before it becomes material (or internal controls.
front-page news). +  Save time by automating repetitive tests.

WHAT FEATURES SHOULD YOU LOOK FOR IN A DATA ANALYSIS TOOL?

Here are five things you’ll want to make sure are in your analytics solution.

01 The ability to perform pre-built analytic 04 Automated detection and prevention, and the
routines like classification, stratification, duplicate development of complex tests to detect and address
testing, aging, joining, and matching. the more sophisticated types of fraud.

02 Data access and manipulation, which 05 Procedure logging, which generates complete
accesses, compares, cleanses, and combines data audit trails that may be required to support detailed
from almost any source. investigations.

03 Data visualization, to uncover unexpected

anomalies more easily and provide additional insights.

5
6
Why sampling is
no longer good
enough
There are some serious shortcomings with many controls testing
methods like sampling.

+  You can’t fully measure the impact of control Although testing a sample of data is a valid audit
failures. approach, it’s not as effective for fraud detection
+  You can miss many smaller anomalies—which can purposes. This is because fraudulent transactions
result in very large frauds over time. don’t generally occur randomly.
+  Sample testing doesn’t find warning patterns or
To effectively test and monitor internal controls,
fulfill regulatory needs.
organizations need to analyze all relevant
transactions—something that’s almost impossible to
do without data analytics and automation.

7
Types of
analysis testing
Primarily, there are two types of data analysis testing:
ad hoc and repetitive/continuous.

AD HOC REPETITIVE/CONTINUOUS
The goal of ad-hoc testing is to get an answer to a Repetitive or continuous analysis for fraud detection
specific business question. Ad-hoc testing lets you means setting up scripts to run against large volumes of
explore and investigate your data. You can look into data to identify anomalies as they occur.
transactions and see if there’s anything to indicate This method can really improve the overall efficiency,
fraud has occurred, or to identify opportunities for fraud consistency, and quality of your fraud detection
to happen. processes. Create scripts, test them, and run them
Let’s say an employee address matches a vendor against data so you get periodic notifications when
address. You can go and find that specific information— anomalies are detected.
compare a vendor master file against an employee You can run the script every night to go through all your
master file and look for matched records. If you find transactions, then get notified of trends and patterns,
something there, it could be indicative of somebody and route any exceptions to management. You’ll start to
setting themselves up as a phantom vendor. With proactively detect fraudulent activity early, before small
ad-hoc testing, you can run tests to uncover specific occurrences escalate into bigger problems.
opportunities where fraud could occur.
For example, purchase card (P-Card) abuse is a
But this is still really manual and time-consuming. And, prevalent problem because big organizations often
if that sort of anomaly seems to be relatively prevalent or have large volumes of P-Card purchases. To help
there’s certain exposure to risk that you’re not comfortable address this, you could run a script that tests all P-Card
with, maybe you want to investigate on a recurring basis, transactions as they occur, to make sure they’re in
which leads us to the second type of testing. accordance with controls.

Automating testing on obvious problem areas like P-Cards

frees up your team to investigate other areas where things
could be going wrong, or to focus on those tasks and
projects that require a lot of time and manual attention.

8
Automated fraud monitoring analytics

Automated fraud monitoring makes it possible to:

+  Apply a risk-based approach to your fraud +  Flag violations, automate follow-up, and notify key
programs. stakeholders to address fraud before it grows.
+  Easily connect to internal and external data +  Refine your analytics and monitoring programs
sources and automate analysis for continuous to focus on higher-risk fraud and to reduce false
monitoring. positives.
+  Apply advanced analytics and machine learning
techniques to identify trends and high-risk
activities.
9
 Progressing
to continuous
monitoring
The Association of Certified Fraud Examiners reported that the typical
fraud case goes on for 16 months before it’s detected.5

There are obvious advantages to detecting fraud It’s pretty straightforward to move from using a suite
quickly, and timely risk mitigation makes a strong of fraud-specific data analytics on an ad-hoc basis
business case for analyzing and testing transactions to continuous monitoring. Assuming the issues of
on an ongoing basis. data access, preparation, and validation have been

Once a test has been developed to uncover a addressed—and that the tests have been proven

specific fraud indicator, it makes sense to repeat effective—moving to continuous monitoring simply

the analysis on a regular basis. How often you run involves automating your testing.

the test depends on your goals and the size of your Then you can also set up an automated workflow for
organization. For example, in the case of monitoring remediation. Exceptions generated by specific tests
payment and revenue transactions, it might make will be automatically routed to specific individuals for
sense to perform automated testing on a daily basis. review. Notification of high-risk exception items can
For areas like P-Cards, travel and entertainment (T&E) be routed to more senior management. So, you can
expenses, and payroll, you may only need to perform be sure issues are being flagged and followed-up on.
testing on a weekly or monthly basis, to align with
payment frequencies.

5 Association of Fraud Examiners, 2018, Report to the nations: Global study on occupational fraud & abuse

10
Data
analysis
techniques
There are a number of specific analytical techniques that are effective
in detecting and preventing fraud.

11
 01
Benford’s Law
Benford’s Law is a fascinating and very effective way of detecting
potential fraud and intentional data manipulation.

It’s fascinating because surprisingly, people who Using data analysis, you can see artificial highs or
make up figures or data usually follow patterns and lows within your data that could be indicators of
generally distribute numbers uniformly. fraud, and then you can drill down and investigate

Benford’s Law is a common statistical technique. further.

It basically states that lists of numbers from many Benford’s Law is particularly useful for detecting
real-life sources of data are distributed in a specific purchasing and accounts payable fraud. Other areas
and non-uniform way. The number one appears about where it’s suitable for use include:
30% of the time. Subsequently, the number two
+  Journal entries
occurs less frequently, then number three, number
+  Accounts payable transactions
four, all the way down to nine (which occurs less than
5% of the time). The idea is to test certain points +  Customer/client refunds

and numbers and identify those that appear more +  Credit card transactions
frequently than they’re supposed to. +  Purchase orders
+  Loan data.

Example:
Benford’s Law could be applied to determine fraud schemes where employees are raising
contracts for amounts within a certain range, where a particular set of numbers (e.g., “39” in
“39,900”) appear in the data more often than expected. In this instance, the employee could
be raising contracts beneath the bidding limit and directing them to a company that they have
a personal involvement in (e.g., a spouse or family member).

12
02
Trend analysis & time
series analysis
Analysis of trends across years, or across departments, divisions, etc.
can be very useful in detecting fraud.

In a nutshell, trend analysis is the idea that what has to the expectation. If the trend doesn’t meet the
happened in the past will give insight into what will expectation of what will happen, you can determine
happen in the future. In data terms, it’s a statistical why. The period-to-period change method is the
technique used to calculate data trends over time and simplest type of trend analysis. For example, you
make predictions based on the assumption that the project data into the future (e.g., month or year) based
trending patterns will continue. on data from two or more prior periods, and then

Using trend analysis, you can examine the general you measure the outcome in dollars or percentage

ledger balance over time. Once you have an change.

expectation of what will happen, compare the trend

Example:
Trend analysis is very effective in detecting kickback schemes. For example, running trend
analysis to compare the rates of return of defective products may indicate a potential
kickback scheme. In this example, somebody buys inferior goods and returns them, receiving
kickback earnings. Trend analysis looking at quantity and price over time can reveal this type
of fraud, especially in cases where significantly more product is purchased than is necessary.

TIME SERIES ANALYSIS

Time series analysis is useful if the data has a indicates that the data has diverged from its past
seasonal component (e.g., higher values associated trend, meaning a change of some kind must have
with certain months or days of the week). Predictive occurred. Further investigation may reveal that this
analysis from both trend analysis and time series can change was intentional/malicious
be used in a continuous monitoring environment. The
analysis can help provide a forecast, and that data
can then be compared to the actual data immediately
after the event. Any difference between the two
13
 03
Ratio analysis
Another useful fraud detection technique is the calculation of ratios for
key numeric fields.

Like financial ratios that give indications of the relative Three commonly employed ratios are:
health of a company, data analysis ratios point to
+  Highest value to the lowest value (maximum/
possible symptoms of fraud. minimum)
+  Highest value to the next highest
+  Current year to the previous year.

In many cases, high ratios or abnormal values that

deviate from industry standards and/or current
business scenarios, have often unearthed potential
frauds that need to be investigated.

14
04
Duplicate transactions
Duplicates testing is one of the more common fraud tests because
it can indicate fraud as well as inefficiency and inaccuracies in
transactions.

Running tests for duplicate transactions can would be an unexpected data pattern. Duplicate
determine if, for example, you’re getting duplicate transactions could be a possible symptom of fraud
invoices from somebody—and whether it’s deliberate that should be examined. But, a word of caution: you
or accidental. should properly investigate the transactions before

Ordinarily, invoice-number/vendor-number jumping to conclusions. Transactions that look like

combinations are unique. So, transactions with the duplicates may simply be progress payments or equal

same invoice-number/vendor-number combinations billing of monthly charges.

Example:
Duplicate invoice numbers could indicate that invoices have been paid twice, either
accidentally, or intentionally. A fraudster could be processing these invoices and paying the
money to themselves, or working with somebody at the vendor company to share the proceeds
from the duplicate payments.

15
 05
Even amounts
Even (rounded-dollar) amounts don’t happen that often. So, numbers
that are rounded to tens, hundreds, and thousands might be
considered anomalies and should be looked at more closely.

And don’t just focus on the large dollar amounts. accommodation). To ensure that these maximums
Small even amounts should be reviewed, because aren’t abused, the claims should be checked against
these are generally easier for fraudsters to get away receipts. It’s very uncommon, for example, for a hotel
with. For example, consider reimbursement of travel room to come to a rounded figure with taxes included.
expenses. Your organization will have maximum But if you’ve got hundreds of employees and they’re
daily amounts for travel, meals, gas, etc. It’s most all making expenses claims, that’s thousands of
likely that these amounts are set in even-dollar expenses to analyze and confirm that the amounts
amounts (e.g., $90 for dinner, $200 per night for are legitimate, which can’t be done manually.

Data analysis software allows users to identify rounded-dollar instances in the data, so you
can investigate these further and ensure that claims match the data.

16
Steps to get
your fraud
program started
Data analysis technology can help calculate the impact of fraud so
you can actually see how much it’s costing the organization. This helps
with determining the ROI on dedicated fraud analytics technology.

F W
 rite down all of the different types of F C
 ommunicate the monitoring activity
fraud that could occur and the areas they throughout the organization so employees
could occur in. and vendors are aware of the fact that
you’re paying very close attention to
F T
 ry to measure the risk of fraud and the what’s going on.
overall exposure to the organization.
What would it cost if the fraud that you F P
 rovide management with immediate
wrote down in the first step actually notification when things are going wrong.
happened? (Better to raise any issues right away
than explain why they occurred later.)
F A
 ddress the costliest items first. Set up ad-
hoc testing to look for indicators of fraud F F
 ix any broken controls immediately.
in these areas. Based on this analysis, Segregation of duties is important. If one
investigate patterns and indicators that person can initiate a transaction, approve
emerge, and set up your continuous the transaction, and also be the receiver
monitoring. of the goods, there’s a real problem.

F Expand the scope and repeat.

17
 20
common
analytics
tests
Do you know how much fraud is costing you? Data analysis
technology can quantify the impact of fraud.

The following 20 tests explore business functions where fraud is common, including general ledger, travel and
entertainment expenses, payroll, IT, procure to purchase, and order to cash.

18
01 Suspicious journal entries by keywords 04 Expense profiling
Identify suspicious journal entry descriptions using Profile expenses by identifying average spend by
keywords that may indicate unauthorized or invalid departments.
entries. Example: HR has been spending large amounts on travel
Example: A description was found with the keyword for prospective candidates, and your sales department
“building” in the short-term asset account. Was this has been traveling in business class for short domestic
mis-classified? Is it even valid? trips.

02 Stratify general ledger accounts 05 Suspicious reimbursement claims: Rental cars,

Stratify a particular general ledger account to look for fuel, and mileage

journal entries that are outside of the normal range of Identify employees claiming fuel expenses when
values posted to the account. they’re already claiming mileage expenses for personal

Example: Payroll expense account transactions vehicles, and reports with a fuel expense without a

typically average $2M, but there seems to be one matching car rental expense.

entered for $500K—was this posting properly Example: Tim submits his mileage expenses each week
authorized? for driving his car to off-site locations. He has also been
submitting fuel expenses for some of his trips, which
led to a reimbursement error not caught by the finance

03 Outlier journal entry amounts team.

Select journal entries that deviate more than two

standard deviations from the average posted amount.

Example: Analyze the trends of all your accounts to

06 Split purchases
highlight transactions that might require scrutiny. Detect split purchases—expenses by the same

These transactions are unusual because they’re much employee, same expense type, and same date, where

bigger than expected amounts. each expense is less than the limit, but together are over
the approval limit.

Example: Steve’s purchase limit is $500, but he orders

some brand-new supplies which cost $800, and splits
the purchase into two $400 payments. Each payment is
under the limit, but together they are over the approval
threshold.

19
 07 Excessive group meal expenses 10 Dormant cards
Identify average amount of group meals per attendee; Identify any lost, stolen, or unused P-Cards.
report cases that exceed thresholds. Example: Carol left your company last year, but it
Example: Tony abuses his T&E privileges at business seems the P-Card she was issued is still active in the
dinners by ordering alcohol totaling $140 per system, increasing your risk of financial exposures.
attendee, much higher than the authorized threshold
of $50.

11 Multiple salary increases

08 Round amounts Identify employees with more than three different base
salaries within a year, to ensure the increases are
Identify potentially suspicious transactions with valid.
rounded amounts. Example: There were two employees who received
Example: Each month, Roger always has a mysterious six minimal, but incremental salary increases in the
$200 transaction. He has been abusing his P-Card last year—were these authorized?
and using it to take out cash advances for personal
use.

12 Phantom (ghost) employees

09 Duplicate claims (“double dipping”) Identify any phantom (ghost) employees being used
for fraud (e.g., channeling funds to an unauthorized
Identify employees who are creating duplicate claims party).
(“double dipping”) by submitting the same expense Example: A payroll administrator has been
under a corporate card transaction and an out-of- reactivating terminated employees and changing their
pocket transaction. banking details to his own account.
Example: Samara submits duplicate claims for the
same expenses: she claimed $360 for hotel expenses
on her corporate card, but also submitted another
expense report claiming this was paid with her
personal card.

20
13 Segregation of duties 16 Non-PO purchases
Invoice vs. vendor creation. Identify vendors with non-PO transactions greater

Ensure a segregation of duties exists between the than a specified threshold.

invoice creator/modifier and the vendor creator/ Example: A supplier intentionally submits a
modifier. false invoice, colluding with an employee in your
organization who shares the profits after approving
Example: Julianna was hired as a short-term co-op
and paying out the invoice.
student. But her system access was never revoked,
and somebody may use her account to validate invalid
invoices from fictitious vendors.
17 Employee-vendor match
Identify any matches in your employee master table

14 Duplicate invoices and vendor master table to detect entry errors or

possible fraud.
Identify any duplicate invoices/duplicate payments.
Example: A fictitious corporation is set up to channel
Example: A vendor accidentally issues duplicate
funds to an existing employee. The only identifying
invoices for the same item, which could potentially
information was that the bank account numbers
lead to duplicate payments being made.
matched with the employee’s payroll information and
the vendor master file.

15 Frequent changes to sensitive fields in vendor

master
18 Blanket receipts
Identify frequent changes to sensitive fields in the
Identify purchase receipts larger than a threshold
vendor master file.
where the largest related invoice is smaller than a
Example: A vendor’s address is changed to an certain percentage of the purchase receipt.
unauthorized location. After the check has been sent,
Example: An agreement with a service company
the address is reverted back.
for $100K in consulting services over the course of
three months is arranged. Out of laziness or process
deficiency, the receipt for the entire $100K is entered
all at once. How will you guarantee that the services
you paid for will actually be delivered?

21
 19 Validate customer credit limits 20 Sanctioned customers
Ensure all credit limits assigned to customers adhere Identify any customers who are also on a sanction list
to company polices by identifying customers with (OFAC’s SDN list, SAM list, HHS’s LEIE list, etc.).
unusual credit limits or credit limits that haven’t been Example: Nicholas Vidall is a name flagged in the
reviewed within a certain period. OFAC’s SDN list for having ties with members of a
Example: Although your customer, GoodFood Inc., is narcotics trafficking group. Sales transactions involving
only authorized a credit limit of $10K, it seems orders this customer may need to be reviewed thoroughly for
were being approved for much higher amounts and validation.
quantities. This now threatens your company with the
risk that GoodFood may not be able to pay you back
for all of your goods.

22
We can
help with
your fraud
detection &
prevention
program.
↳
Galvanize can help your organization mitigate fraud, waste, and abuse, identify risks and
opportunities for cost savings, and prevent funds leakage.
Call 1-888-669-4225, email info@wegalvanize.com, or visit wegalvanize.com.

23
ABOUT GALVANIZE Galvanize delivers enterprise governance SaaS solutions that help
governments and the world’s largest companies quantify risk, stamp out
fraud, and optimize performance.

Our integrated family of products—including our cloud-based governance,

risk management, and compliance (GRC) solution and flagship data
analytics products—are used at all levels of the enterprise to help
maximize growth opportunities by identifying and mitigating risk,
protecting profits, and accelerating performance.

wegalvanize.com

©2020 ACL Services Ltd. ACL, Galvanize, the Galvanize logo, HighBond, and the HighBond logo are trademarks or registered
trademarks of ACL Services Ltd. dba Galvanize.
All other trademarks are the property of their respective owners.