Detectlets for Better Fraud Detection

Conan C. Albrecht, PhD

Marriott School of Management

Brigham Young University

Today’s Presentation

• Give a few fraud stories

• Outline the Detectlet vision and Picalo Architecture

• Show example code and working products

• Describe future research directions and solicit help

Two Types of Fraud

• Fraud on behalf of an organization– Financial statement manipulation to make the

company look better to stockholders– Also called management fraud

• Fraud against an organization– Stealing assets, information, etc.– Also called employee or consumer fraud

ACFE Report to the Nation Occupational Fraud and Abuse

• 2 1/2 year study of 2608 Frauds totaling $15 million– Fraud costs U.S. organizations more than

$400 billion annually.– Fraud and abuse costs employers an average

of $9 a day per employee– The average organization loses about 6

percent of its total annual revenue to fraud and abuse admitted to by its own employees

Ernst & Young Fraud Study 2002 (Europe)

• One in five workers are aware of fraud in their workplace

• 80% would be willing to turn in a colleague but only 43% have

• Employers lost 20 cents on every dollar to workplace fraud

• Types of fraud– Theft of office items—37%– Claiming extra hours worked—16%– Inflating expenses accounts—7%– Taking kickbacks from suppliers—6%

Revenues $100 100%Expenses 90 90%Net Income $ 10 10%Fraud 1Remaining $ 9

To restore income to $10, need $10 more dollars of revenue to generate $1 more dollar of income.

Cost of Fraud

• Fraud Losses Reduce Net Income $ for $

• If Profit Margin is 10%, Revenues Must Increase by 10 times Losses to Recover Affect on Net Income– Losses……. $1 Million– Revenue….$1 Billion

• Large Bank– $100 Million Fraud– Profit Margin = 10 %– $1 Billion in Revenues

Needed– At $100 per year per

Checking Account, 10 Million New Accounts

Fraud Cost….Two Examples

• Automobile Manufacturer– $436 Million Fraud– Profit Margin = 10%– $4.36 Billion in

Revenues Needed– At $20,000 per Car,

218,000 Cars

0

500,000,000

1,000,000,000

1,500,000,000

2,000,000,000

2,500,000,000

3,000,000,000

Year 1 Year 3 Year 5 Year 7 Year 9

Some of the organizations involved: Merrill Lynch, Chase, J.P. Morgan, Union Bank of Switzerland, Credit Lynnaise, Sumitomo, and others.

A Recent Fraud

• Large Fraud of $2.6 Billion over 9 years– Year 1 $600K– Year 3 $4 million– Year 5 $80 million– Year 7 $600 million– Year 9 $2.6 billion

• In years 8 and 9, four of the world’s largest banks were involved and lost over $500 million

Every Person Has A Price

• Abraham Lincoln once threw a man out of his office, angrily turning down a substantial bribe. “Every man has his price”, explained Lincoln, “and he was getting close to mine.”

Examples of Data-Based Detection

Superhuman Workers

• Summed all hours (normal, OT, DT) per two week period, regardless of invoice or timecard)

• Workers were logging hours on two timecards for simultaneous jobs

The Family Business

Work Orders Authorized By Purchaser

The Family Business

Invoice Charges Authorized By Purchaser

The Family Business

Work Orders Given To Contractor Crew

The Family Business

• Tip stated that kickbacks were occurring with a certain company

• We researched the company and determined which purchaser authorized the work

• A contractor crew and company purchaser were family

Systematic Increases In Spending

Systematic Increases In Spending

Unexpected Peaks In Spending

Increases In Only Part Of A Trend

Caught by his Pool…

Research Background

Accounting History

• 1940 SEC Statement: “Accountants can be expected to detect gross overstatements of assets and profits whether resulting from collusive fraud or otherwise” (Accounting Series Release 1940)

• 1961: “If the ten (auditing) standards now accepted were satisfactory for their purpose we would not have the pleas for guidance on the extent of (auditors’) responsibility for the detection of irregularities we now find in our professional literature.” (Mautz & Sharaf 1961)

• 1997 - SAS 82• 2002 - SAS 99

Expectation Gap

Historical Fraud Research

• Excellent literature review by Nieschwietz, Shultz, & Zimbelman (2000)– Who commits fraud– Red flags– Expectation gap– Auditor expectations– Game theory between auditors and management– Auditor-client relationships– Risk assessment, decision aids– Management factors affecting fraud

FS Fraud using Ratio Analysis

• Hansen, et. al (1996) developed a generalized qualitative-response model from internal sources

• Green and Choi (1997) used neural networks to classify fraudulent cases

• Summers and Sweeny (1998) identified FS fraud using external and internal information

• Benish (1999) developed a probit model using ratios for fraud identification

• Bell and Carcello (2000) developed a logistic regression model to identify fraud

• Current work by McKee and by Cecchini and by Albrecht• None have found the “silver bullet” in using external

information to identify fraud– Management (FS) fraud is very difficult to find

What are the Big 4 Doing?

• Each firm seems to have different groups working on fraud detection– No best practices model has emerged

• IT auditors perform control testing on company systems, not fraud detection

• Meeting with Bill Titera of EY

Why Don’t “They” Find Fraud?

• Limited time– Our most precious resource is our attention

• History– Heavy use of sampling - lack of detail– Lack of historical fraud detection instruction

• Lack of fraud symptom expertise• Lack of fraud-specific tools• Lack of analysis skills• Lack of expertise in technology• Auditors do find 20-30 percent of fraud

» ACFE 2004 Report to the Nation

Isn’t there a better way?

Reasonable time requirements

Within reach of most auditors(highly technical skills not required)

Cost effective

Integrate easily into differentdatabase schemas

Integrate AI andauto-detection

Initial Thoughts

• A small “manual” about frauds– Cliff notes about different types of fraud– Describes the scheme– Describes the indicators of the scheme

• Worldwide repository wth contributions from many different industries

• Primary focus was training

Detectlets

• A detectlet encodes:– Background information on a scheme– Detail on a specific indicator of the scheme– Wizard interface to walk the user through

input selection– Algorithm coded in standard format– “How to interpret results” follow-up

• Input is one or more table objects

• Output is one or more table objects

Detectlet Demonstration

• Bid rigging where one person prepares all bids Item BidderAUnit BidderATotal BidderBUnit BidderBTotal BidderCUnit BidderCTotal

1.1.10 1829.85 1829.65 2100.00 1895.001.1.20 1256.99 1256.99 1380.00 1301.881.1.30 3467.52 3467.52 3900.00 3591.361.1.40 4.21 421.00 4.65 465.00 4.36 436.001.1.50 1.91 229.20 2.10 252.00 1.98 237.001.1.60 13328.00 13328.00 15100.00 13804.001.1.70 3360.001.2.10 32.48 162.40 35.60 178.00 33.62 168.201.2.20 13.22 661.00 14.50 725.00 13.69 684.501.2.30 13.89 694.00 15.25 762.50 14.38 719.001.2.40 9.97 229.10 10.95 328.50 10.32 309.601.3.10 124.43 373.29 136.65 409.95 128.88 386.641.3.20 139.63 279.26 153.35 306.70 144.62 289.241.3.30 34.12 102.36 37.45 112.35 35.34 106.021.3.40 124.43 622.15 136.65 683.25 128.88 644.401.3.50 26.82 536.40 29.45 589.00 27.78 655.601.3.60 20.80 416.00 22.85 457.00 21.54 430.801.3.70 39.66 793.20 43.55 871.00 41.08 821.601.3.80 51.48 1287.00 56.55 1413.75 53.32 1333.001.3.90 52.96 1324.00 58.10 1452.60 54.85 1371.251.3.100 52.96 847.36 58.10 929.60 54.85 877.601.3.110 277.28 11091.20 304.50 12180.00 287.19 11487.601.3.120 203.53 223.50 210.801.3.130 45.99 2759.40 50.50 3030.00 47.63 2857.801.3.140 12.19 487.60 13.40 536.00 12.63 505.201.3.150 11.70 468.00 12.85 514.00 12.12 484.801.3.160 12.49 249.80 13.70 274.00 12.94 258.801.3.170 2.45 24.50 2.70 27.00 2.54 25.401.3.180 326.39 326.39 358.00 338.051.4.10 9541.68 9541.62 10480.00 10480.00 9882.46 9882.46

Potential Supporting Platforms

• MS Access• ACL or IDEA• Build ground up application

– Allows total control over platform– Stays with open source rather than tying the program

to a particular platform• For example, consider PowerBuilder

– Supports Windows, Unix, Linux, Mac– Allows embedded use within a greater platform– Personal preference was Python

Picalo: The Supporting Platform

Central Detectlet Repository

How Detectlets Address the Problem

• Limited Time: Detectlets provide a wizard interface for quick execution; they can be chained and automated into a larger system

• High Cost: Detectlets are based in open source software, putting them within reach of small and large accounting firms; they also create a community environment for fraud detection

How Detectlets Address the Problem

• Lack of fraud symptom expertise: Detectlets provide a large library of available routines to both train and walk auditors through the detection process

• Lack of fraud-specific tools: Picalo provides an open solution that we can improve over time; it puts a fraud-specific toolkit in the hands of auditors

How Detectlets Address the Problem

• Lack of analysis skills: Detectlets encode full algorithms and code, allowing the auditor to stay at the conceptual level rather than the implementation level

• Lack of expertise in technology: Detectlets provide a wizard-based solution that are easy to use; Picalo provides an Excel-like user interface

Picalo Level 1 API

Data Structures

The Table object is the basic data structure. Nearly all routines both input and return tables, allowing them to be chained. Its methods include sorting, column operations, row operations, import/export from delimited text and Excel formats.

Column types include Boolean, Integer, Floating Point, Date, DateTime, String, etc.

Simple Module

Provides joining, matching, fuzzy matching, and selection.

col_join, col_left_join, col_right_join, col_match, col_match_same, col_match_diff, compare_records, custom_match, custom_match_same, custom_match_diff, describe, expression_match, find_duplicates, find_gaps, fuzzysearch, fuzzymatch, fuzzycoljoin, get_unordered, join, left_join, right_join, select, select_by_value, select_outliers, select_outliers_z, select_nonoutliers, select_nonoutliers_z, select_records, soundex, soundexcol, sort, etc.

Benfords Module

calc_benford: Calculates probability for a single digit

get_expected: Calculates probability for a full number

analyze: Analyzes an entire data set and calculates summarized results

Crosstable Module

pivot: Similar to Excel’s pivot table function

pivot_table: Pivots and keeps detail in each cell

pivot_map: Pivots and keeps results in a dictionary rather than a grid

pivot_map_detail: Pivots and keeps results in a very detailed fashion using a dictionary

Database Module

OdbcConnection: Connects to any ODBC-compliant database

PostgreSQLConnection: Connects to PostgreSQL

MySQLConnection: Connects to MySQL

Also includes various query helper functions, such as query creation, results analysis, etc.

Financial Module

Calculates various financial ratios to help in financial statement analysis:

Current ratioQuick ratioNet working capitalReturn on assetsReturn on equityReturn on common equityProfit marginEarnings per shareAsset turnoverInventory turnoverDebt to equityPrice earnings

Grouping Module

Stratification gives the details behind SQL GROUP BY. It keeps the detail tables rather than summarizing them.

stratify: Stratifies a table into N number of tables

stratify_by_expression: Stratifies a table using an arbitrary expression

stratify_by_value: Stratifies on unique values

stratify_by_step: Stratifies based on a set numerical range

stratify_by_date: Stratifies based on a date range

Summarizing is similar to SQL GROUP BY, but it allows any type of function to be used for summarization (GROUP BY generally only allows sum, stdev, mean, etc.)This can by done in the same ways as stratification.

Trending Module

Various ways of analyzing trends and patterns over time.

cusum, highlow_slope, average_slope, regression, handshake_slope

Python Libraries

Powerful yet easy language with a significant online community

Full object-oriented support (classes, inheritance, etc.)

Text maniuplation and analysis routines

Web site spidering routines

Email analysis routines

Random number generation

Connection to nearly all databases

Web site development and maintenance

Countless libraries available online (almost all are open source)

Research Directions

Level 1 Research

• Foundation routines for fraud detection– Development, testing, empirical use, field studies

• Connections to production software– Standard SAP, Oracle, Peoplesoft, JD Edwards, etc.

modules

• Application of CS, statistics, other techniques to fraud detection– Time series analysis– Pattern recognition for fraud detection

Level 2 Research

• Studies about detectlet presentation, user interface

• Creation and testing of detectlets for industries, data schemas, etc.

• Detectlets for financial statement fraud detection

• Testing of detectlet vs. traditional ACL-type fraud detection

• Patterns of detectlet development, best practices

Level 3 Research

• Automatic mapping of field schemas to a common schema

• Application of expert system, learning models for automatic detection– Decision trees– Classification models

• Meta-detectlets to combine various Level 2 detectlets into higher-level logic

Other Research

• Group-oriented processes for the central repository– Searching, categorization– Testing, rating systems

• Marketplaces for detectlets

• Development of Picalo itself

My Hope

• In 5 years we’ll have a large repository of detectlets to:– Support both external and internal auditors– Teach students in fraud classes– Conduct theoretical and empirical research

http://www.picalo.org/