"In today's regulatory landscape, it is clear that the bar has been raised with respect to regulators' expectations of what constitutes an effective compliance program," write the authors of EY's 2014 Global Forensic Data Analytics Survey. Governments, both foreign and domestic, have access to the same analytical, disruptive technologies that private sector firms do. And they are using big data do their jobs.
A strong forensic data analytics (FDA) program, said EY partner Vincent Walden, can help a company not only meet higher regulator expectations for compliance, but also see a significant ROI concerning detection times for fraud and recoveries. It also sends a message, he added, when employees know that meaningful compliance is in place, and the C-suite and the board are watching.
Drawing on internal sources, FDA examine data "with regard to incidents of financial crime. The aim is to discover and analyze patterns of fraudulent activities." Walden is a Partner in EY's Fraud Investigation & Dispute Services practice in New York City, and is a Certified Fraud Examiner.
EY's 2014 FDA survey suggests that companies may be playing catch up with their counterparts in regulatory agencies: While 72% of respondents believe that big data can play a role in fraud detection, only 7% could name a specific technology, and a scant 2% are using big data tools in their FDA. In addition, over 60% of respondents say they need to improve their anti-fraud procedures and improve management's awareness of the benefits of FDA.
I recently conducted a telephone interview with Walden to talk about FDA and big data tools in the enterprise.
TechRepublic: What is the business case for a strong FDA program? How can an enterprise benefit from this?
Vincent Walden: For publicly traded companies and for any company doing business globally, having a fraud and compliance program is almost a requirement. From a regulatory perspective, the UK Bribery Act, for example, requires that a company have an adequate compliance program. It is not only expected from a regulator's perspective, there is a significant ROI component as well in terms of recoveries and faster detection times. In our survey we found the responses had improved results in recoveries. In fact, it was 11% better than others when they used more of the sophisticated tools. Better results, better return on their audit investment, so to speak.
Further, the Association of Certified Fraud Examiners (ACFE) just released its annual Report to the Nations. The survey found that, while proactive data monitoring and analysis was used by only 35% of the victim organizations in their study, the presence of this control was correlated with frauds that were 60% less costly and 50% shorter in duration.
The other one of course is just the culture itself. It sets a very positive tone at the top when companies demonstrate that they have compliance and forensic analytics and that management is watching.
TechRepublic: What do boards and executives need to know about regulators' expectations? How has the technological ability of regulators to conduct investigations changed in recent years?
Vincent Walden: They need to know that it is an absolute expectation to have meaningful corporate compliance policies, procedures, and monitoring programs in place. There are recent federal sentencing guidelines amendments that talk about this. The Organisation of Economic Co-operation and Development (OECD) has their good practice guidance on this. And of course, when you read the settlement agreements of all the Foreign Corrupt Practices Act (FCPA) cases, they specifically set forth a compliance program. And when you read the deferred prosecution agreements of companies that have been investigated, there is typically a settlement agreement that requires a company to improve their compliance monitoring program.
The second question is really interesting as well. For example, it is interesting to see what the SEC is doing. It is worth your readers googling the words "RoboCop" with "SEC" for what is called the accounting quality model (AQM). The SEC is processing large amounts of data per day of all the public company filings coming in. And they are immediately scanning, risk scoring, and prioritizing this information. So if someone's reserves or numbers in a particular industry look different from their industry peers, then that is flagged. It appears that the SEC, not just companies, is getting more sophisticated in its use of data analytics.
TechRepublic: Are boards starting to catch on to regulators' new capabilities?
Vincent Walden: We found in the survey that the board is definitely aware of the importance of an effective compliance program. Now, how they go about executing it is a different story. According to our survey participants, companies have done a very good job mapping their risks to certain tests or certain FDA tests. For example, the survey showed the number one risk they were concerned about was bribery and corruption, and almost 74% of the respondents said they used anti-corruption analytics in their compliance monitoring. The same was true with financial misstatement and capital projects spending.
But the analytics they were using were primarily rules-based, spreadsheet, or database type analytics. And that's where the problem comes in. When you apply these rules-based questions to try to detect and prevent fraud, you are going to get a lot of false positives. Because it requires you to guess what the fraud is by applying some "rule," you have to design a test and hope that you will stumble across it. Even worse, the survey participants reported that the data volumes used for FDA were quite low. They were not looking at 100% of the transactions; they were taking relatively small samples. For example, when you are a $1 billion company, and you're only looking at 10,000 records, is that truly a good representation?
So the key message is that companies need to think about some of these more big data technologies that go beyond simply rules-based tests. This is why the survey was called "Big risks require big data thinking." You don't necessarily have to go out and integrate the latest big data technologies, such as Hadoop, and completely replace your platform; however, big data thinking involves integrating better data visualizations, as the SEC is doing, better use of statistics, better use of risk scoring, and predictive modeling, which lets the data define itself in terms of anomalies and outliers.
Further, the use of text mining has been a key game changer for our clients. For example, when I am looking at payment descriptions, and I see a phrase like "friend fee" or "respect payment" used in the description of a payment, that shows me pretty well the corrupt-intent nature of that payment. Typically, people are not necessarily looking at the free-text descriptions of payments; they are just looking at the numbers or other variables. So those are the types of big data thinking that are really changing the game, where companies who have been relatively low on the FDA maturity model, are now moving towards more sophisticated analytics techniques.
TechRepublic: What are the most important big data technologies to use in FDA?
Vincent Walden: In our survey, we asked our respondents: "Do you believe big data will play a key role in your fraud detection and prevention?" 72% of respondents said yes. But then we got specific on a separate question and asked how many of the respondents were aware of any specific big data technologies, and only 7% could articulate some of the big data technologies, specifically around map reduce, or Hadoop, or in-memory processing. We also found that only 2% of respondents were using these Hadoop or map reduce big data technologies.
That is different from big data thinking, and I like to use the Gartner definition of big data, which is integrating high volume, high velocities, and high varieties of data. To me this definition is most applicable because in some cases it does not have to be high volume, but for fraud detection and prevention you absolutely need high variety in your data. You don't just want to look at travel and entertainment (T&E) expenses by itself, you want to look at T&E and see what the sales rep is also selling, and you want to look at how many free samples of products that sales rep is giving away to their customers, or discounts or margins provided. Perhaps you even want to look at their social media and see what they're saying online, or in email communications to their customers, when corporate policies and data privacy restrictions allow. That builds the profile of what is corrupt intent or suspicious behavior, not in just one data source, but integrating multiple sources to paint a complete picture. That's really where big data, and some of these newer technologies, are especially beneficial.
TechRepublic: Beyond fraudulent practices, what kinds of risks can analytics help mitigate?
Vincent Walden: There are analytics activities that help keep you out of trouble, and there are analytics activities that help make your business better. FDA is in the category of "keep you out of trouble." Fortunately for companies, the same data sources can be used for both purposes, which helps improve the return on your analytics investment. If you look at accounts payable for example, it has risk components in terms of who is getting paid and for what purpose — "keep us out of trouble," but it also has aspects of "make our business better" in terms of cost savings, discounts not taken, duplicative payments, errors, or supply chain efficiencies. Those are not necessarily forensic or fraud questions, those are business improvement questions, but with the same data source. So often, in our advisory analytics practice, we go to our clients and say, look, we can approach this from not only your fraud risks, but also a cost savings perspective.
- How Big Data is changing the security analytics landscape
- Zettaset closes Hadoop's enterprise big data security gap
- Data lakes vs. data streams: Know the difference to save on storage costs
- Data visualization: When it's the wrong tool for the job
Brian will do client work for AtTask.
Brian Taylor is a contributing writer for TechRepublic. He covers the tech trends, solutions, risks, and research that IT leaders need to know about, from startups to the enterprise. Technology is creating a new world, and he loves to report on it.