You can't monitor what you can't measure

Fraud examination thought leaders are working to innovate anti-fraud processes. Column editor Vincent M. Walden, CFE, CPA, in conjunction with other professionals, reports original concepts that help improve the effectiveness and efficiency of anti-fraud monitoring. EY Fraud Investigation & Dispute Services (FIDS) and Anheuser-Bush InBev contributed to this column.* — ed.

Fraud examiners and compliance professionals have used continuous monitoring with evidence-based, anti-fraud prevention and detection analytics programs for many years. Historically, the volumes of data generated by businesses have far outpaced the ability of risk-oriented business functions to manage that data, and the inherent risks evident within it, but this is changing. Digital transformation is impacting almost every aspect of today’s global organizations, including the risk management, compliance and legal functions. Organizations that have implemented continuous monitoring programs in the past are now looking to improve their data analytics programs more efficiently and effectively, and in objective and actionable ways.

However, challenges still exist. Continuous monitoring and forensic data analytics platforms can sometimes be plagued with burdensome data volumes, an inability to access or integrate disparate data sets, lack of technical or domain expertise and inadequate technologies to analyze data, among other issues.

Rapid digitalization and increasing regulatory complexities are creating new fraud compliance risks and other compliance issues. In response, agile organizations are using innovative analytical remedies to help counter those risks.

Risk scoring to the rescue

One such fraud risk tactic is the concept of data integration through “transaction risk scoring.” Transaction risk scoring isn’t a new concept in the financial services industry — particularly in credit card transactions. Credit card companies use real-time transaction data for scoring credit risk by creating personalized risk profiles that identify individuals’ patterns of behavior as they happen. Financial services companies also use these patterns to increase the predictive accuracy of future transactions. Transaction scoring helps credit card issuers, for example, see their customers’ behaviors more deeply and clearly, which helps the banks be more precise, measured and responsible in managing credit card fraud risk.

Other organizations have also been demanding more objective, repeatable and auditable methodologies to make actionable, data-driven decisions. The risk-scoring concept has gained broader acceptance with prioritizing and risk ranking of third-party payments — particularly in the fight against occupational fraud and global corruption. In fact, a recent survey of 745 legal, compliance and fraud risk professionals spanning 19 countries found that 72 percent of respondents plan to adopt risk scoring and data aggregation into their forensic data analytics program within the next year. (See EY’s Global Forensic Data Analytics Survey 2018.)

Organizations can achieve more objective, repeatable and auditable transaction risk-scoring methodologies through processes of 1) data aggregation 2) risk scoring & analysis 3) reporting & visualization and 4) actionable decisions using triage and case management tools, which can then enable predictive modeling and machine learning. (See Figure 1 below.) 

Figure 1: An effective risk-scoring process for a forensic data analytics program

A single transaction is the lowest common denominator for calculating a risk score

Risk attributes that are indicative of fraudulent transactions, particularly with corruption and asset misappropriation schemes, can be hidden within the general ledger; you typically have to dig down into the details of the sub-ledgers (e.g. payments sub-ledger for vendors or sales sub-ledger for customers). Additional data sources, such as client relationship management and human resources data, can enrich the analysis by contributing additional fields that might bolster relevant risk attributes.

Take an organization’s procure-to-pay transactions for example. As depicted in Figure 2 below, organizations can integrate internal and external data sources into a centralized analysis platform. Data sources could include payments data, vendor master, employee master, third-party due diligence data, travel and entertainment data, investigations data and even external data sources such as news, indices and social media. This integration can result in a greater ability to develop risk-scoring models and prioritize compliance focus areas based on transactions with higher-risk attributes.

Figure 2: Example of data aggregation mapped to targeted anti-fraud tests and risk scores

Scoring and analyses

Risk scoring helps associate a more objective measure of risk to the transactions. Organizations can have millions, if not billions, of transactions. Aggregating those respective transactions and associated entities (e.g., vendors, customers or employees) can help prioritize compliance, internal audit or investigative resources.

“The application of risk scoring certain business transactions based on multiple risk attributes is being explored across multiple compliance functions,” says Martim Della Valle, AB Inbev’s chief compliance officer. “I’m particularly interested in its application in anti-trust compliance monitoring as well as traditional anti-fraud and anti-corruption monitoring.”

The entities and the organizations they interact with aren’t mutually exclusive. A certain set of transactions can increase the risk of both a customer and an employee. The underlying premise assumes that a transaction is riskier when it contains more risk attributes (e.g.,  four risk attributes versus one or two).

For example, if a payment meets the criteria: 1) an urgent payment 2) paid to a political or state-owned entity 3) bypassing due diligence and 4) is a high-risk vendor type, we might assume it’s more risky than other payments that only meet the urgent payments criteria. Further, some risk attributes, such as a politically connected entity, might carry more inherent risks than other attributes so the model should be flexible enough to add additional weight to those higher-risk variables. Figure 3 below shows a sample framework that describes this process.

Figure 3: Sample framework of risk scoring

“At Anheuser-Busch InBev, we invested heavily in analytics to drive compliance assessment of businesses integrated into the company as part of the recent purchase of SABMiller,” says Matt Galvin, global head of investigations, AB InBev. “This led us to move towards compliance and fraud risk monitoring as part of our routine operations. Our priority scoring starts at the transactional level and rolls up to a specific vendor, business, country and zone risk for compliance and business stakeholders to monitor each month.”

Working together symbiotically

Using sophisticated data-visualization capabilities focused on forensic data analytics has become more important than ever given the mass adoption of cloud computing. And the use and sophistication of data visualization capabilities focused on forensic data analytics continues to grow exponentially.

Visualizing data in a dashboard review platform assists analysts in identifying trends and patterns that help in decision making. Transaction risk scoring provides a repeatable, mathematical process for identifying higher-risk transactions. Using dashboards enable analysts to apply their professional judgments based on analytics frameworks they understand and that reflects their expertise. This professional judgment is unlocked when users are able to filter transactions in meaningful ways such as by type, time, geographic region or amount.

When transaction risk scoring and dashboard reviews are integrated into the same analytics platform in an intuitive, easy-to-follow workflow, an organization can better prevent and detect fraud.

Visualizations and analytics can point to the issues, but they don’t replace the professional review of supporting documents such as contracts, purchase orders, delivery notes and/or invoices for vendors to draw conclusions on risks and the need for investigations. “The key is to have the objective and subjective review drivers reinforce and effectively prioritize what is truly salient to the high-level user,” says Richard Thomas, EY partner in the Fraud Investigations & Dispute Services (FIDS) practice, who’s helping to design such systems.

To integrate additional activities, dashboards have expanded from delivering simple data summaries and charts to integrating highly sophisticated tools for statistical and text analysis, interfaces for case management, triage and workflow activities. When the system identifies higher-risk transactions or entities,  analysts now have the ability to “tag” the item(s) and, if appropriate, escalate or open a case for further inquiry or investigation right in the dashboard.

This tagging functionality is also important if the organization plans to use predictive modeling or machine learning on the basis of human selections and conclusions. After analyzing the analysts’ tagging of potentially improper or corrupt payments, over time the system can learn and profile future transactions with statistically similar attributes.

Figure 4: Transaction risk-scoring example — employee risk ranking

Questions to ask your organization

When measuring the effectiveness of your anti-fraud and compliance efforts:

• How are you using data analytics to test for program effectiveness?
• What fraud risk areas and entities best warrant the use of transaction monitoring or risk scoring to proactively identify anomalies or areas of malfeasance?
• How does your organization prioritize transactions/entities for further analysis and monitoring?
• How can you integrate workflows and case management to enable analysts to produce more efficient analysis and follow up?
• Have you considered predictive modeling and machine-learning techniques in your forensic data analytics program to effectively learn from past high-risk events?
• Is the documentation of your risk-based approach in line with regulatory expectations?

Measuring what matters

Fraud examiners and compliance professionals know it's hard to monitor what can't be measured. By utilizing risk-scoring techniques as described in this column, legal, compliance and anti-fraud professionals have one more way to keep pace with the ever-growing data generated by the business. Risk scoring allows these professionals to better proactively manage risk by focusing on what matters most.

Vincent M. Walden, CFE, CPA, is a partner with EY. His email address is: Vincent.Walden@ey.com.

*EY team contributors: Richard Thomas, richard.thomas2@ey.com; Barb Lambert, barb.lambert@ey.com; and Irem Emir, irem.emir1@ey.com. Anheuser Busch InBev team contributors: Matthew Galvin, Matthew.Galvin@ab-inbev.com and Martim Della Valle, Martim.DellaValle@ab-inbev.com.