Fraud Triangle Analytics

[Figures referenced in this article are no longer available. — Ed.]

A well-known statistic from the 2008 ACFE Report to the Nation on Occupational Fraud & Abuse says that 66 percent of occupational fraud is detected by anonymous tips or by accident rather than by internal audit, internal controls, or other measures. Internal audits discover only 19.4 percent of occupational fraud, according to the report. 

These statistics challenge the profession. Why isn't internal audit - often the focus of a large amount of time and money in organizations - at the top of the list for detecting incidences of fraud? Part of the answer could be right in front of many CFEs.

The Gartner Research Group, in its May 2005 study, "Introducing the High-Performance Workplace: Improving Competitive Advantage and Employee Impact," states that 80 percent of enterprise content - such as e-mails, user documents, presentations, and Web material - is unstructured in nature. Yet, most internal audit and anti-fraud testing only focuses on the remaining 20 percent of data that's structured, like financial accounting systems or transactional databases.

Reviewing someone's e-mails for potential fraud can be like searching for the proverbial needle in a haystack. Companies might also be a little squeamish about invading the personal privacy of their employees, even though they're typically scanning all employee e-mail activity daily for various threats.

Yet, while organizations have access to the many volumes of e-mail data that flow to and from their offices, there hasn't been a systematic way to cull the data into an organized and effective anti-fraud solution. That is, until now. Welcome to Fraud Triangle Analytics.

ALIGNING KEYWORDS, TERMS AND PHRASES TO DETECT RISKS 

In the May/June article, "Exposing the Iceberg," we introduced a method to detect fraud by analyzing employees' e-mails for keywords, terms and phrases (referred to hereafter as "keywords" for simplicity) that are directly related to the three legs of the well-known Fraud Triangle.

The Fraud Triangle illustrates some of the fundamental concepts of fraud deterrence and detection. In the 1950s, criminologist Dr. Donald R. Cressey (one of the co-founders of The Institute for Financial Crime Prevention, the precursor to the ACFE) developed the Fraud Triangle to explain why people commit fraud. His premise was that all three components - incentive/pressure, opportunity, and rationalization - are present where fraud exists.

For the past year, Ernst & Young's fraud investigators (led by the authors of this article) and an ACFE research team (led by John Gill, J.D., CFE, ACFE's director of research) developed an objective list of keywords that are specific to each Fraud Triangle component. 

The team has accumulated, organized, and tested a library of more than 3,000 keywords distinctive to the major fraud categories: financial statement fraud, asset misappropriation fraud, and corruption fraud. We've also collaborated with the FBI and several Fortune 500 companies to refine the methodology.

STRONG INDICATORS OF TRIANGLE COMPONENTS 

To discover whether e-mail communications are an effective indicator of employees' incentives/pressures, opportunities, and rationalizations, we selected two Ernst & Young cases: one that involved financial statement fraud where the company was recognizing revenue after the cut-off period, in which there was an eventual restatement, and another case that investigated foreign corruption using the U.S. Foreign Corrupt Practices Act (FCPA), which resulted in a conviction.

In the two cases, 21 individuals and more than 2 million e-mails were investigated. Both cases had been resolved when we began our analysis. Our hypothesis: to find an increase in the frequency of keywords from each Fraud Triangle component during the period of alleged fraudulent activity.

The first case, financial statement fraud with revenue recognition, involved a multinational company. Using commercially available text search and retrieval software, investigators searched more than 1.9 million e-mails from 18 suspected executives and related attachments for the keywords in the "financial statement fraud library" we had compiled. The investigation period covered the three months of September, October, and November 2008.

As demonstrated in Figure 3, we observed a sharp increase in all three lists of keywords that we linked to the three components of the Fraud Triangle during the alleged revenue recognition period of these 18 individuals. (Note that keyword hits are expressed as a percentage of total available e-mails in the database on a month-by-month basis for comparative purposes.)  

Each list has its own set of distinct terms related to incentive/pressure, opportunity, and rationalization. This "co-occurance" supports the Fraud Triangle theory that, at least in this example, all three components were present when revenue recognition issues existed.

The top 10 keywords from our financial statement fraud library that drove the hits during the period under review included those in Figure 4.

The corruption/FCPA case also involved a multinational company. Investigators searched more than 105,000 e-mails belonging to the three suspected executives for the keywords in our compiled "corruption fraud library." The investigation went as far back as 2000; however, the key area of focus was the period from September 2006 though March 2007.

As shown in Figure 5, we observed sharp increases from these three individuals in all three lists during the alleged bribery period. (As in Figure 3, keyword hits are expressed as a percentage of total available e-mails in the database on a month-by-month basis for comparative purposes.) Once again, this co-occurance supports Cressey's theory that all three Fraud Triangle components are present when fraud, in this case bribery, was present.

The top 10 keywords from our corruption fraud library that drove the hits during the period under review included those in Figure 6. We also analyzed two additional corruption cases, which yielded similar results (not shown here). We don't suggest that we can draw hard conclusions between e-mail communications and the three components of the Fraud Triangle at this time. However, the results from our investigations so far seem to demonstrate that there's a correlation between the words used by individuals in e-mail communications and behaviors that show a manifestation of incentive/pressure, opportunity, and rationalization.  

Perhaps even more important is that each Fraud Triangle component seems to co-occur at the same time during the fraudulent time period. We encourage the investigative community, including law enforcement, to conduct their own investigations using these methods.

APPLYING FRAUD TRIANGLE ANALYTICS 

 In the first part of this article, "Exposing the Iceberg," in the May/June issue, the fictitious internal audit director, Bonnie Parker, and her team completed its fraud risk assessment.

The team now has determined it needs to conduct additional testing of its 21-member sales department in Africa because they suspect some irregularities in the interactions among salespeople and government officials - a definitive fraud risk. Parker wants to run the corruption fraud library of keywords on e-mails to identify possible bribery evidence.

The internal audit team also customizes its keyword library to include company-specific jargon and industry or geographic-specific keyword terms or phrases. The team begins working with the IT department, in coordination with the company's office of general counsel and related e-mail records policies adopted by the corporation, to collect the live server e-mail communications of the 21-person sales force team from the previous 90 days.

In this example, the members of the sales force team don't need to know about the analysis because the internal audit team won't be inspecting the hard drives of their work computers - just the company server that stores e-mails. This probe isn't yet an investigation; it's part of the company's proactive fraud-monitoring efforts; however, if data is collected outside of the United States, international data privacy laws might be applicable especially in European countries. It's important to consult with legal counsel prior to removing any data outside of the respective country.

NOW FOR A LITTLE MATH   

After running the library of corruption fraud keywords containing the (1) incentive/pressure terms (P-Score), the (2) rationalization terms (R-Score) and the (3) opportunity terms (O-Score) against the e-mail communications, the internal audit team scored each of the lists independently and came up with an overall "fraud score" ranking for the 21 employees. The fraud score is the sum of squares of each component, which allows Parker to sort from highest to lowest risk factor among the 21 employees as demonstrated in Figure 7.

Parker then plotted these scores on a graph. (See Figure 8) She identified the three individuals with the highest R-Score, P-Score, and O-Score. Those three employees, according to the Fraud Triangle theory, are most likely to have committed fraudulent activity.

Parker can follow up with additional e-mail "text" analytics procedures on the three high-risk individuals identified. Such procedures can include such questions as:

• Who's talking to whom? (social network analysis)
• About what? (concept clustering and natural language processing)
• Over what time period? (time series analysis)

Focusing on the three individuals, rather than the 21, and combining the who, what, and when text analytics procedures mentioned previously, Parker can quickly identify key risks, errors or potential fraudulent acts in the data with minimal document-by-document review.   

FRAUD TRIANGLE ANALYTICS AND YOUR ANTI-FRAUD EFFORTS 

You can integrate Fraud Triangle Analytics into your anti-fraud program, especially if your organization has already conducted an internal investigation in which e-mails were a source. The key to the process is developing three lists of words - corresponding to the three components of the Fraud Triangle - rather than a single random list of words.

The Fraud Triangle Analytics chart at the bottom of the page shows steps you can take in conducting a fraud investigation.

FUTURE POTENTIAL FOR FRAUD TRIANGLE ANALYTICS 

The "perfect storm" of fraud is brewing as global economic conditions create increased pressure on earnings while internal controls weaken and staffs are reduced. As bonuses are cut and workloads increase, there also might be an enhanced rationalization to commit fraud. Companies worldwide are identifying processes and methodologies to proactively fight fraud.

The concepts in this article might appear to be nontraditional or outside the "comfort zone" for some because we are analyzing employees' e-mails. These methods surely are different from traditionally analyzing journal entries with ACL, Microsoft's Access, or Excel. Those tools typically rely on "rules-based queries" that require an auditor to "ask questions of the data" based on what is currently known. This approach often requires both time and luck to uncover potential anomalies in data that could include indicators of fraudulent activity.

However, we want to help companies bolster their fraud-detection efforts by incorporating new techniques based on established fraud theory. When combined with traditional rules-based analytics, Fraud Triangle Analytics can be a powerful tool for identifying large and unusual anomalies derived from the multidimensional attributes in e-mail communications surrounding high-risk business events. The results can then be linked back to journal entries as valuable, corroborative evidence.

Fraud Triangle Analytics focuses on high-risk areas in which controls might not necessarily exist or are perhaps even bypassed and, therefore, it fits naturally into creating a more robust fraud risk assessment.

Over time, we expect our library of words, terms and phrases - co-developed by the ACFE - to grow as we conduct more reactive fraud examinations and proactive risk assessments for our clients across multiple industries.  

The Ernst & Young/ACFE keyword list is proprietary and only available to our clients as we continue to invest resources in updating the library with current events and new fraud risks. However, we encourage companies to develop their own keyword libraries based on their previous fraud risks and unique experiences. Similar to Ernst & Young, companies adopting Fraud Triangle Analytics should also strive to update their lists because fraud risks are in constant flux. As companies expand globally, bribery, and corruption issues and FCPA stipulations are rising to the top of managements' list of concerns, and as such, we need to increase our global libraries of words, terms, phrases, and local idioms. For example, in Brazil, to "buy one a cup of coffee" can be used as an expression to offer a bribe.

With help from our global offices, we have translated our keyword library into six languages, including Chinese, Spanish and Russian, and have also added regional idioms. Our long-term goal is to have a library with added local idioms for each of the 140 countries in which we conduct business.

CUTTING COSTS, DETERRING FRAUD 

We're still amazed to discover strong evidence in suspects' e-mails during a reactive fraud examination. But fraud examiners are often bewildered when they are assigned to proactively search through thousands of e-mails generated by fraud suspects in high-risk areas.

Routine Fraud Triangle Analytics can simplify procedures while reducing investigation and litigation expenses by catching fraud in its earliest stages. Employee fraud awareness training and an understanding of the fraud risks in areas of increased exposure throughout an organization can lead to a more heightened awareness of fraud.

While we can't eliminate fraud, we view Fraud Triangle Analytics as one of the newest forms of fraud detection. It's a great tool if used effectively in conjunction with oversight and other measures to control fraud exposure. We recognize that there will still be fraudsters and that Fraud Triangle Analytics can't catch all of them; however, it might help to reduce or identify fraud risk earlier.

Dan Torpey, CPA, CITP; Vince Walden, CPA, CFE; and Mike Sherrod CFE, CPA, are members of Ernst & Young's Fraud Investigation and Dispute Services Practice. 

The authors recognize these individuals for their assistance with the research supporting this article:
John Gill, J.D., CFE, Research Director, ACFE
Dawn Taylor, CFE, Accounting Editor, ACFE
Andi McNeal, CFE, CPA, Research Program Manager, ACFE
Pavan Jankiraman, CFE, Ernst & Young
Anil Markose, CISSP, Ernst & Young
James Phung, Ernst & Young

The views expressed in this article are those of the authors and don't necessarily reflect the views of Ernst & Young LLP.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.