Finding the needleUsing forensic analytics to understand what happened – and what might happenIntroductionFraudsters are a crafty bunch. Their goal is to remain undetected, and many of them do a really good job at accomplishing that goal. In fact, according to, “2010 report to the Nation on Occupational Fraud,” a biennial report published by the Association of Certified Fraud Examiners, 65% of occupational fraud at public companies was detected by tips, management review, or simply by accident.1 What this says is that, for all the internal controls employed by companies today, when fraud is discovered, it is by humans – and by accident — rather than by technology.

12010 Report to the Nation on Occupational Fraud. The Association of Certified Fraud Examiners, 2010, p. 19. (retrieved 2011 02 15)

That is a sad statistic, given the wealth of sophisticated analytical technologies available to businesses today. It has to change, and it can through the use of forensic analytics. This combination of human intuition and leading-edge analytics technologies can have a positive impact on the detection and investigation of fraudulent and other illegal or unethical activities if the proper analytics detection methods are employed.

Forensic analytics consists of a set of analytics techniques that investigators can use to uncover irregularities in financial data. Typical problems include errors, biases, duplicates, and omissions. The goal of forensic analytics is more than to simply detect irregularities, however. The real goal of forensic analytics is to find out how — and why — these irregularities exist, and to find out the source of the anomalies — especially when fraudulent activity is suspected.

What is more, the application of forensic analytics techniques can prevent financially draining errors or fraudulent activities from happening in the first place, making the tools used to analyze frauds, errors, and other corruptions particularly valuable to decision makers. When a company has fraud-detecting systems and technologies in process, managers can do far more than explaining problems in hindsight. They can parlay their understanding of how and when anomalies occur to build foresight.

Forensic analysis occurs in a demanding space. Indeed, a company’s reputation, financial health, and even survivability can be at stake when faced with even the smallest of frauds, especially if the case involves the media and public scrutiny. The cost of careless or inaccurate analytics itself is very high, so it is important to “get it right” the first time, turning to dependable, demonstrated technologies and processes to answer the serious questions and resolve the underlying challenges. Employing the tools of this discipline yields a return on investment that can be hard to measure, but nonetheless

2

substantial if a company can move beyond explaining past errors and actually prevent issues from arising in the future.

If the tools of forensic analytics can minimize risks or prevent catastrophes from happening in the first place, an investment in an exploration is worth understanding the ins and outs of the practical application of its concepts.

Guiding principlesForensic analysts’ work is guided by a set of four principles. These principles are key to effectively ferreting out data anomalies and establishing confidence in the results.

The four guiding principles of forensic analytics:

• Precise• Repeatable• Defendable• Integrated data

Any analysis conducted should be performed with a keen eye for detail and accuracy. Since the issues being investigated are usually of great consequence, or the numbers themselves demonstrate an abuse of assets, the work should be done with a narrow margin of error. The tools of the trade should be sharp and deliver the precision investigators depend on.

Second, the work should be repeatable. Forensic analysts are called upon to process complex scenarios in a compressed time frame. A repeatable framework not only aids in efficiency, but it can come in handy if the analysis is held up to judicial inquiry.

Indeed, the work should also be defensible. In other words, “black box” models are not preferable. To stand up to close scrutiny — especially when fraud is suspected — forensic techniques used should be transparent and employ generally accepted techniques. In this field, people seek to “prove you wrong” and may bring a company to trial in the public press, so it is imperative that the tools used to build a case can withstand the pressures of cross-examination.

Finally, the data from the analysis should be integrated for interpretation. Analysts must fuse structured and unstructured data from a variety of sources to facilitate contextual understanding and analysis. Data is often heterogeneous, however, existing in different formats, different languages, and on different systems. This heterogeneity can make synthesizing the data an arduous task for analysts if the data is old and housed on defunct operating systems or deeply embedded within disparate programs. Therefore, the tools and techniques they use are usually chosen carefully for the case at hand.

MethodologyTo meet these four principles — so that the work delivers precision, repeatability, defensibility, and data integration — it is advisable to employ a standard, repeatable methodology in forensic analytics. While the methodology can be applied to most kind of analytics exercise or management consulting project, forensic analysts employ a particular brand of creative thinking to move through the steps with efficiency. Each step answers a question in a way that is unique to the situation being evaluated.

• Dataidentification — What data needs to be used to analyze the situation? A large volume of information is usually explored in most forensic analytics cases, and analysts are challenged to quickly determine what information is most relevant. They consider that data may come from various sources — some data will be structured, some will be unstructured, and some will be from a third party — and that only the right data will serve as the basis for case evidence. This step also involves the mapping of electronically stored Information and paper documents.

• Forensiccollection — How does one get the data? In addition to following the standard protocol for collecting data — using established forensic preservation standards, maintaining the data’s chain of custody, and performing data integrity checks for completeness — the forensic analyst faces other considerations. The case’s legal environment, for example, might include multiple jurisdictions with differing regulations and data privacy concerns. Data may need to be gathered secretly under the noses of those in wartime or who are otherwise unaware of the ensuing investigation. Analysts will determine the leading methods to get the information they need – certainly not a trivial matter in forensic analytics.

• Datafusion — How is the data going to be joined together and structured for analysis? The data may be in dozens or even hundreds of formats that analysts must assemble to meet the individual dynamics of the case. Simply put, a lot of data needs to come together in a way that it is easily accessed and evaluated in order to answer specific questions. Based on the needs of the investigation, analysts may integrate structured and unstructured data using temporal and entity keys and derive context by superimposing data sets. They should also house the data appropriately, in a database, data mart, or data warehouse, before the queries can be run and insights derived from the analysis.

3

• Forensicanalyticsapplication — What tools will be used to analyze the case? The scenario may call for analysts to look at simple queries or turn to other methods, such as relationship mapping, link analysis, hypothesis testing, or econometric modeling. In any case, analysts will apply rules-based detection on required transaction data to identify anomalies suggestive of fraud, terrorism threats, and other misdeeds. They may develop statistical models to identify previously unknown patterns and adjust anomaly detection rule sets through a feedback loop.

The element of feedback is becoming increasingly important in forensic analytics because it lends an iterative aspect to the process. The ability to make changes to the data sets or analytic models based on experience, query results, and even the emergence of new questions in the investigation, helps in the application of forensic analytics to predictive analysis — not to mention help analysts in fine-tuning their work as they progress through a case investigation.

The methodology in action: the UN Oil-for-Food ProgramHow does this methodology work in the real world? Very well, actually. As an example, we can take a look at the United Nations (UN) Oil-for-Food Program and the resulting scandal and prosecutions. The UN Oil for Food Program allowed the government of Iraq to sell oil and, in return, buy humanitarian goods.2 Under the program, Iraq sold $64.2 billion in oil to 278 different international companies. It used $34.5 billion of that money to purchase humanitarian goods from 3,416 different international companies.3

As the program progressed, it was beset by allegations of bribes and kickbacks. In response, the UN set up an Independent Inquiry Committee (IIC), headed by former US Federal Reserve Chairman, Paul Volcker. Mr. Volcker directed an in-depth forensic analysis that uncovered $1.8 billion US in kickbacks and bribes, and about $50 million in potentially fraudulent over-charges from the UN to the program.4

Uncovering such a massive fraud was not easy. There were thousands of documents that detailed

2United Nations Security Council Resolution 986 S-RES-986(1995). On 14 April 1995. (retrieved 2011 03 18)3Report on Programme Manipulation. Chapter One: Summary of Report on Programme Manipulation. Independent Inquiry Committee into the United Nations Oil-for-Food Program. On 7 October 2005. p.1. (retrieved 2011 03 18)4Ibid.

communications, events, and transactions — both paper and electronic — in nearly a score of languages and just as many currencies. There was also quite a bit of traditional gum-shoe activity that had to be done and investigators travelled the world in search of evidence, witnesses, and accomplices. All pertinent documents had to be identified, collected, correlated, and analyzed for probative facts that would confirm fraudulent activity. The mission was herculean — both in its scope and its complexity. The application of forensic analytics tools and techniques, however, made it possible.

The forensic analytics methodology in the UN Oil-for-Food ProgramStep1:DataidentificationThe first task in the forensic analytics process was to identify data necessary to reconstruct the contracts and then look for fraud within those contracts. Analysts needed to uncover who was behind the alleged fraudulent activity and how they communicated, when and where the illegal financial activity occurred, and how it was accounted for. To reach this end, they had to locate and piece together data from around the world, including:

• Financial transaction data, which was comprised of banking, accounting, wire transfer, and payment documentation

• Communications data, such as e-mail and telephone records

• Contract paperwork

• Data providing the market prices of contract goods

Step2:ForensiccollectionOnce it was determined what data was needed to investigate, the data had to be collected and normalized. This entailed:

• Securing access to systems containing electronic data, as well as hard-copy data sources

• Sending someone out into the field to find out if companies cited in contracts were truly the entities they appeared to be

• Scanning and normalizing unstructured data, such as paper documents, e-mails, receipts, etc., using text parsers and indexing methods

• Translating documents from multiple languages using auto translate software as well as people, and putting the information into a unicode database

• Normalizing over 20 currencies in transactions into one currency

4

Step3:DatafusionThe normalized data needed to be fused and put into a structure that facilitated analysis. The goal was to see each contract and the transactions associated with it — all structured and unstructured parts — in a unified view upon which investigators could draw conclusions. Investigators:

• Used a number of methods, including entity resolution software, link analysis, and e-mail analysis to establish relationships between individuals and companies

• Layered massive amounts of structured and unstructured data one piece over another to tease out names, companies, accounts, transactions, phone records, and even changes in financial behavior to paint a picture of what was really happening

Step4:ForensicanalyticsapplicationOnce the compilation process was complete, the analysis team went deep into the trenches of forensic analysis of the data. The scams were complex and meant to be hidden. Part of the data fusion was to get the U.N. records to match up with the Iraqi records, which was remarkably difficult because many Iraqi records were destroyed due to wartime.5 But cross-corroboration was critical to show a clear picture of what each contract involved and confirm suspicions of illegal activity.

Because some of the pertinent data was missing, and some was contradictory, analysts developed statistical and rules-based models to fill in the blanks. In doing so, they were able to verify nearly half of the Iraqi records for accuracy and had enough confidence in their findings that they were able to estimate the other fifty percent.6 The investigation:

• Demonstrated that bribes were built into the contracts through inflated prices of goods

• Found 1.8 billion dollars of kickbacks and bribes, and about 50 million dollars in over-charges from the UN to the program

• Resulted in the the identification of more than 2400 companies that were complicit in subverting the UN Oil for Food Programme.

The findings helped the UN evaluate its processes so it could put better controls in place and prevent similar occurrences from happening in the future.7 Additionally, much stronger financial disclosure requirements were recommended, as well as adding oversight personnel and necessitating UN assembly approval of program decisions.

5A Discussion of the UN, Iraq and the Oil-For-Food Investigation. Deloitte video on www.deloitte.com. Last updated July 27, 2010 6Ibid.7Ibid.

Looking forward — forensic analytics techniques for predictive modeling and forecastingAt some point, most enterprises face a look back with forensic analytics. The field has evolved, however, with growing volumes of data and shifting focus on prevention. Many companies now seek solutions incorporating more proactive, predictive techniques, and continuous monitoring. The future of analytics calls for innovations that embed advanced analytical concepts to solve nonrelational and nonlinear challenges – tools to detect fraud in real time.

ContinuousmonitoringandanomalydetectionAs the regulatory and economic environments change, schemes and errors related to fraud, waste, and abuse also tend to change and evolve. While a traditional rules-based anomaly detection system is generally good at finding fraud, it has been shown that over time, the rules may become less relevant; hence, the system becomes less effective, generating more Type I (false positive) errors. The need for more accurate rules-based reasoning tools in the forensic analytics space has resulted in the creation of the next-generation “hybrid” anomaly detection system.

This advanced analytics solution has been developed to help analysts identify anomalies based on known patterns – as well as adapt to previously unknown schemes – through continuous monitoring. This hybrid

Guiding principles in actionPrecision — the global scope of the investigation meant investigators were dealing with data in multiple languages, currencies, and formats – accuracy in translations, financial calculations, and in the reconstruction of program contracts was critical to uncovering the exact details of the far-reaching illegal activity.

Repeatability — work had to be executed quickly and massive amounts of data had to be processed, making it imperative that analysis was performed within a repeatable framework.

Defensible — as the forensic evidence was under scrutiny of the Independent Inquiry Committee that used a standard of review of “reasonably sufficient evidence” the investigators had to demonstrate their methodology and conclusions to the Committee. The Committee’s analysis and final findings were published in a series of public Reports.

Integratable — layering of structured and unstructured data sets allowed analysts to infer a picture of what each contract entailed and who was involved.

5

model combines leading traditional rules-based reasoning with more advanced predictive analytics to create a self-learning construct that will minimize Type I and Type II (false negatives) over the long run. Transactional screening in real-time, while conducting analysis to identify new trends and patterns off-line, can help an organization protect resources for productive use.

A feedback loop is the component of advanced predictive analytics that uses the past to predict the future in order to take action in the present. It essentially powers a rules-optimization routine that significantly reduces dead rules and adds new ones. Instead of looking at one transaction at a time, as with a traditional rules-based reasoning system, the hybrid model incorporates an off-line look at data as a group — perhaps looking at transactions over a quarter or years’ time — which helps the system “learn” from historical trends and help predict future ones. This is serious analytic heavy-lifting, and it signals the future of forensic analytics.

SemanticmodelingAlso on the leading edge of fraud detection and prevention is semantic modeling, which provides a level of sophistication and understanding akin to human thought and behavior. Its mechanics are based on human thought and behavior, in fact, fraud is a human act. When a person or group of people commit fraudulent activity, they leave “fingerprints” in the e-mails they send, to whom they send them, and in the words they use or do not use. Semantic modeling is able to take these fingerprints, evaluate their “where,” “when,” and “who,” and fit them into conceptual framework it identifies as either indicative of fraud or within the scope of “usual” behavior.

Semantic modeling makes it easier to find relationships in massive amounts of data, but goes beyond bits and bytes. It helps analysts to approach a problem in terms of concepts and abstractions, not data, and they help to identify what is important, organize it, hypothesize about it, and discover connections between disparate data. Using semantic modeling — in tandem with some of the traditional analytics tools — lends an ontological perspective helping to explain how things work and what is the meaning of relationships. It would allow an analyst to lay out an entire program and detect what could have gone wrong with it and place data on top of it as opposed to starting with the data and then backing into it to find what is in it.

The concept of semantic modeling has been known to computer scientists, computer engineers, and even

linguists for quite some time, and its real-life application is still developing and has tremendous potential. Tremendous opportunities exist for creativity, insight, and competitive advantage with these cutting-edge analytics models. Forensic analysts continue to work on the models and test their capabilities. Nevertheless, enterprises using the tools, even in this early stage of their development, can differentiate themselves when they apply them to real-time fraud detection and prevention.

WrappingitupThe environment in which forensic analytics is applied is dynamic and evolving. The tools need to be particularly sharp, the methods repeatable, and the findings defensible. The data in forensic analytics cases can be complex and incongruent, and the techniques used to integrate the data and make it accessible to analysts asking questions are usually applied within tight time frames and amidst various forms of scrutiny. The methodology itself is able to deliver powerful insights to a wide range of cases – from explaining minor system irregularities to uncovering fraud in the most complex, global scenarios.

The tools that have been used to analyze fraud in a looking-back perspective have remarkable potential to be used in preventing frauds from occurring in the first place. Strides are being made by analysts to improve the way structured and unstructured data are fused to bring better insights — and foresights — to forensic investigations. Leaders in the field, as well as corporate leaders adopting the tools of forensic analytics, are involved in developing exciting, creative innovations that continue to impact their work.

Given the costs of failure around controls and risk management, both financially and reputationally, adopting a more forward-looking approach using forensic analytics may serve to help prevent financial statement frauds, mortgage frauds, and international bribery issues. While some of these situations cannot be completely prevented, an investment in forensic analytic tools can help companies to consider ways to make improvements in their processes today to mitigate the risks of tomorrow.

For more information, please contact:

SamirHansPrincipal Deloitte Financial Advisory Services LLP shans@deloitte.com + 1 571 882 8410

GregorySwinehartNational Service Area Leader Forensic and Dispute Services Deloitte Financial Advisory Services LLP gswinehart@deloitte.com +1 212 436 2089

Join the analytics discussion at www.realanalyticsinsights.com

AboutDeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.