Cushion glides are the size of large thumb-tacks that get pushed into the bottom of chair legs. They help protect office floors. One organization found out these innocuous devices can also be used for fraud.
The procurement department — including the manager — was part of a kickback scheme with the supplier to slowly hike the glides’ price to $10 from $1 a package. When the organization buys 20,000 of the glides over a year, that adds up: Instead of paying $20,000, the firm was paying $200,000, with employees in on the scheme getting a kickback.
They were caught with fraud data analytics.
A bright staffer in the audit department decided to add data analytics to the unit’s tools. The first department tested was procurement. The auditor was looking for anomalies in the prices the firm spent on goods over a 12-month period. The glides stuck out — pardon the pun — like a thumb-tack. All it took was an investigation to find out why.
Sohail Saleem, executive director of internal audit at Calgary’s Mount Royal University, used that story at this week’s virtual conference of the Canadian chapter of the Association of Certified Fraud Examiners to explain the usefulness of fraud data analytics.
“This is just a small example of how fraud data analytics could be a way to detect fraud in the organization,” he said. “There are tons of stories that would tell of the benefit of implementing fraud analytics.”
Here’s a more recent example: In July, the City of Edmonton said it lost almost $1.6 million in a road sign invoice scam that ran for several years. In one case, a manager gave contracts for signs, barricades and traffic cones to a relative, while in the second, another manager made directed purchases and approved invoices to a company. The city received no products, and upon closer examination, the employee’s home address matched the alleged manufacturer’s address on the invoices.
“If the city had implemented data analytics they could have compared employee and vendor address and the fraud would have been detected long ago,” said Saleem.
After the incidents were discovered, the city auditor recommended that council approve a fraud analytics program.
Another example: The $1.8 million printer toner scam
A U.S. library employee was caught buying $1.8 million in printer toner and reselling the cartridges for profit. The purchases were approved but no one checked where the toner went.
This particular example, Saleem says, is why organizations need to closely check the use of P-cards (otherwise known as purchasing on corporate credit cards). Fraud analytics can detect duplicate or split purchases (bypassing a spending limit by splitting the price), suspicious purchases on weekends and statutory holidays, and purchases after an employee’s termination.
Implementing fraud data analytics can be a simple as creating a script to run against data or buying dedicated analytics software. Either way the goal is to analyzes large volumes of data for patterns — discrepancies and anomalies — for further investigation.
Some financial departments do sample testing of data for this reason. Experts say that’s a valid audit approach but it isn’t as effective for fraud detection, which requires large volumes of data — purchases over a year, for example.
Analytics can be run across a wide range of data including sales records, expense reports, inventory reports, customer data and more.
A tool for deterrence
And while discovering fraud is the ultimate goal, Saleem says just announcing to staff that a fraud detection analysis program is coming can be a deterrent to those thinking about dishonesty.
Among the benefits of a fraud detection program, a board can be assured an entire section has been examined as opposed to spot sample testing, he explains. Detection can be implemented at the time of or close to transactions, increasing the odds that fraud and business control gaps can be detected early.
The best way to implement a fraud data analysis program is with a plan, Saleem says. Understand why you are doing it, the benefits expected and the areas where it will be used. A fraud risk assessment will help. Decide if the internal IT staff can help or whether consultants will be needed. Preliminary tests will show if you’re on the right track and run scripts regularly to be effective.
Don’t start fraud detection analytics with a complex project, he warns. Look for low-hanging fruit (procurement, expenses, salaries). Can’t afford new software? Use a spreadsheet.
The program should be coordinated with management, the risk and compliance department and internal auditors. It’s also important to understand the data that is being examined. The old rule of “garbage in, garbage out” holds here, he adds. That also means being aware of false positives.
“My key message,” Saleem said, “is you have start somewhere. Start slow, keep on expanding … You will see the benefits.”