“Fraud and information technology” by Roderick M. Vega (February 13, 2012)

SUITS THE C-SUITE By Roderick M. Vega
Business World (02/13/2012)

Information technology (IT) has become indispensable in the 21st century. Work, in particular, has been transformed by IT. We can work faster, with more flexibility and overall efficiency.

Anyone can have access to vast amounts of information available anytime and anywhere. Unfortunately, so do the fraudsters of the world. Fraudsters need not be near their subject of interest like money, people, information or anything of value. A fraudster can now use as a weapon any tool or device that can access large amounts of valuable information and any means of communication. A fraudster can very well cause significant damage to hapless victims by stealing money or information, or damaging reputation with the use of a computer, tablet, or mobile phone.

Companies are battling with these fraudsters, using the same weapons. Besides beefing up IT security to prevent unauthorized internal and external intrusions on their confidential information, companies are using IT to be more proactive in detecting potential fraud. Data analytics (DA) and proactive IT forensics are examples of the tools companies use in fighting fraud.

DATA ANALYTICS

Some companies use DA to identify and detect potential anomalies in their database, be it in sales, collections, purchases, payments, payroll, or production. DA can be applied to any transaction or account that has large volume of data which would otherwise not be readily visible or available for analysis.

DA works by extracting existing data from servers, filtering these data, and running data scripts with risk scores for different types of trends or patterns. Assigning risk scores makes the DA more effective in filtering high priority items or transactions because of their higher likelihood of fraud.

When the DA results are converted into visual presentation, the outcome can be compelling, as this allows a broad yet precise look into high-risk transactions that indicate fraud. With DA, companies are able to detect potential fraud such as bid-rigging, fictitious and duplicate payments in procurement, and fictitious employees in payroll. Besides spotting potential irregularities, DA can also identify probable internal control overrides and non-compliance with policies and procedures, including splitting of purchases or payments and abuse of reimbursement or cash advance limits.

The C-Suite, including Chief Finance Officer, Chief Audit Executive, and Chief Compliance Officer, as well as the Head of Procurement, are among senior management who sponsor DA projects. As the officers responsible for different units, locations and employees, they usually find the DA useful in highlighting potential priority problem areas. They can deploy resources immediately to validate identified anomalies and timely institute corrective measures to deflect fraud.

While DA has been delivering good results and increasing its coverage, DA’s obvious limitation is that it only works when there are databases that can be mined and analyzed. Databases must be “structured data,” with tables, columns, rows and fields.

Based on a study by Gartner Research, structured data only accounts for 20% of the total digital information of a company. The remaining 80% comprises e-mails, text, graphics, presentations, and spreadsheets, which are considered unstructured data. Gartner Research also found that few organizations have the methodologies or technologies to address structured data. If DA can help companies identify potential fraud while covering only 20% of the available information, imagine what other frauds can be uncovered if unstructured data can be analyzed.

IT FORENSICS

The challenge of mining unstructured data is where proactive IT forensics can make its mark. IT forensics is usually employed to aid investigations where a computer forensics expert is tasked to image, process and analyze the contents of target hard drives and look for digital information that can be used as evidence in support of allegations. The types of investigation that employ IT forensics are applicable to most types of fraud, but are highly useful for investigations dealing with corruption, which is one of the most challenging frauds to prove.

Companies usually initiate IT forensics following allegations of fraud from whistle-blowers or other sources. In this reactive use of IT forensics, companies are mainly concerned with determining the extent of damage inflicted by the fraud on their organizations. But most companies may prefer to adopt a more proactive IT forensics, including early fraud detection, to minimize the damage in their organization. This is the premise of proactive IT forensics.

To illustrate, a company suspecting bribes or kickbacks to customer representatives to win contracts or sales orders can discreetly image and analyze the company-assigned computers or mobile phones of target company officers that deal with these customer representatives. The company can then look for information or files that may indicate, or hint at, such behavior by the target officers, such as conversations or e-mail exchanges with customer representatives. The company must be familiar with the language or codes used when discussing bribes or kickbacks. A smart fraudster will not use these words directly but may use instead incentives, bonus, special pay, facilitation, goodwill, and other creative terms.

The same proactive computer imaging and analysis can be used in the company’s procurement division where the targets are employees who deal with suppliers and contractors, who select or influence the selection of winning vendors, and who negotiate the purchase terms. The company looks for information or files that indicate that vendors may be offering bribes or kickbacks to the company’s employees to award the purchase to these vendors.

The hints can be subtle, like setting appointments outside the office or regular business hours. Preferably, proactive IT forensics should be done discreetly so that the company can benefit from the element of surprise. However, before employing proactive IT forensics, a company should ensure it has the appropriate policies against accusations of violating employees’ privacy rights. For instance, companies can inform employees that their e-mails are subject to monitoring and require the execution of a waiver.

DA and IT forensics are weapons traditionally used in reactive investigations. But companies are starting to use them for fraud deterrence and detection. Their effectiveness in fighting fraud still remains to be seen, but initial results are promising. There have been instances when the use of DA or IT forensics eventually led to full-blown investigations. These monitoring tools can be an effective deterrent to potential fraudsters. Until fraudsters can figure out how to go around these tools, they may have to revert to “old school” means to further their illegal activities (i.e., preparing manual documents and face-to-face negotiations for that kickback).

Roderick M. Vega is a partner of SGV & Co.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.