Taking the Right Steps to Integrated Data-Driven Oversight

Leveraging Data to Monitor Fraud, Waste and Abuse

Melanie Rowley, CISA PMP ITIL, ACL ServicesBill Kelley, CISA CISM

Reporting and Analytics – Process Overview

•

2

Reporting and Analytics Function

Drivers Uses/Users

Example Standard Reporting• A-123/133 Compliance• Spend Analytics• Fraud, Waste, and Abuse• Tax Recovery

Example Ad-hoc Reporting•IG – All card activity data; Contract award Data•GAO – Small Business Purchases;

Identified fraud Issues by location

•OFM – Off-hour purchases; Cash Payments without documentation

•Ass’t Secretary – Best Price Purchases;Purchases to Green Vendors

USES •Fraud and Accountability•Card Program Management•Transition Management•Training, Learning, and Development

•Risk Management•Fraud, Waste, and Abuse Detection and Prevention

•Performance Measurement and Benchmarking

•Tax Exemption and Recovery•Spend Analysis and Strategic Sourcing

•Research and Intelligence

USERS•Revenue/Tax•Audit•Retirement Managers•Human Resources•Program Managers

Feedback

Input from Various Sources

3

End to End Process for Grant Oversight

PROPOSALSPRE-AWARD

REVIEWAWARD

CLOSE-OUTPOST AWARDCASH

DISBURSEMENTSPAY/ENTITLEMENT

AWARDSOLICITATIONS CASH

REQUEST

•Funding Over Time•Conflict of Interest•False Statements•False Certifications•Duplicate Funding• Inflated Budgets•Candidate Suspended/Debarred

•Unallowable, Unallocable, Unreasonable Costs•Inadequate Documentation•General Ledger Differs from Draw Amount•Burn Rate•No /Late/Inadequate Reports•Sub-awards, Consultants, Contracts•Duplicate Payments•Excess Cash on Hand/Cost transfers•Unreported Program Income•

•No /Late Final Reports•Cost Transfers•Spend-out• Financial Adjustments• Unmet Cost Share

D A T A A N A L Y S I S

PRE-AWARD RISKS ACTIVE AWARD RISKS AWARD END RISKS

Dr. Brett M. Baker, 2010

6

Reasons Oversight Is Not Always Effective

Not adequately verifying—drive bys Tend to avoid conflict with people Education—fraud detection not taught in

school Pressure to finish audits Auditor vs. investigator—auditors have

bias toward documents while investigators have bias toward witnesses

Don’t understand business operations and impact of control weaknesses

Not talking to lower level personnel Warning signs not recognized

Reasons We Miss Inappropriate Transactions When We Get Data

Poorly defined scope Data acquisition Manually maintained data False positives Lack of familiarity Data storage systems Software systems Organizational processes Lack of support from Sr. Leadership

6

FRAUD ENABLERS• Defensive Posture• Expanding Ranks of Fraud Mobsters• Fragmentation• Lack of Law Enforcement Coordination• Unlimited Opportunities• “Cost of Doing Business” Mindset• Lack of Awareness at Executive Levels• Minimal Deterrent

7

Framework for Aggressive Active Oversight

Data analytics-driven, risk-based methodology to improve oversight

Identify institutions that may not use Federal funds properly

Techniques to surface questionable expendituresLife cycle approach to oversight

Mapping of end-to-end process to identify controls 100% review of key financial and program information Focus attention to award and expenditure anomalies

Complements traditional oversight approaches Techniques to review process and transactions are similar Transactions of questionable activities are targeted

8

Things to Talk About Use analytics software to track and document

results of identified high risk transactions selected for further review and investigation

Carry out the auditor’s responsibility for assessing fraud risk factors and evaluating internal controls and standards

Management can and should use similar methods to conduct reviews to meet internal control standards and the associated 17 internal control principles

Demonstrate the types of evidence-gathering techniques used to identify anomalous behavior by individuals, business units, components, or the organization

9

Risks Concepts

10

When you press ………….

And money comes

out

We need to mitigate our risk

11

The following areas are problematic and may occur in various combinations:

Individual Use Purchases – Purchase of vehicles, vacation trips, TVs, clothes, stereo systems, and jewelry.

Vendor Fraud – Vendors will charge additional fees for services previously paid and the charges will go unquestioned.

Employee Conspiracy With Vendor - Employees receiving kickbacks in the form of vacations, gifts, and other by manipulating refunds/credits or making excessive purchases. Vendors will share profits with conspiring employees.

External Fraud - Organized crime and individual fraudsters will commit fraud using compromised cards in similar ways to methods used against non-government cardholders with the key difference that the government is self-insured.

Other – Includes year-end spending rush and stockpiling issues, supervisor pressure, and expediting mission by circumventing laws and regulations (i.e. repeated split purchases).

Areas of Concern When the Money Button is Pushed

12

What does Fraud have to do with

Terrorism?

13Everything isn’t always what it seems to be!

Anomalies Happen

14

Common Sense Patterns If it does not make sense… It is not normal… It seems unusual… Too coincidental… Too frequent…

There is no right answer

There is no wrong answer

Merely an interpretation in context

15

Too Much Commonality• Many patterns are exposed

due to repeating behaviors• Too many commonalities

may indicate organized behaviors

• Subjects perpetrate the same crime at different financial institutions

• Only minor changes in their underlying Modus Operandi (MO)

Too Much Commonality

16

GAO: Questionable Debit Cart Charges

GAO examples of “questionable” charges for use of debit cards

http://www.gao.gov/new.items/d06844t.pdf

17

Doctor Shopping Pattern

Target suspect is related to multiple doctors for the same prescription-types SUBJECT

PHYSICIAN-C

PHYSICIAN-D

PHYSICIAN-E

PHYSICIAN-F

PHYSICIAN-G

PHYSICIAN-A

PHYSICIAN-B

18

Multiple Pharmacy Usage

Target suspect uses multiple pharmacies to fill his prescriptions

SUBJECT

WALGREEN DRUG STORE

RITE-AID PHARMACY

ECKERD

GIANT PHARMACY

ACME PHARMACY

CVS PHARMACYThe structure of this pattern is virtually identical to the doctor-shopping pattern

1919

The Five Standards for Internal Control

MonitoringMonitoring

ControlActivitiesControl

Activities

Risk Assessment Risk Assessment

Control Environment Control Environment

Information

Communication

21

Independent checks

Independent checks

ApprovalApproval

SummarizationSummarization

Safeguards over access and use

Safeguards over access and use

Segregation of duties

Segregation of duties

AuthorizationAuthorization

Design and use of documents and

records

Design and use of documents and

records

Control Techniques

22

Establishing Partnerships Agencies need to establish partnership roles

– Data Repository – – Selection Criteria – – Data Analysis and Coding -– Field Research – – Analysis of Results – – Improve Process -

23

Data Analytics Help….

• Determine reliability data fields Shape of the data (statistics) Completeness of transactions and fields

• Show anomalies…. within a database between databases and changes in behavior over time

• Develop risk profiles for comparisons Awardee profiles Award-type profiles Program profiles

24

MYTHS REALITIES

•Data only, no fieldwork•Numbers exercise•To many false/positives•Process changes data•Findings unsupported•No testing controls•Not auditing

•Focuses fieldwork•Still test support with traditional techniques•Source data not changed•Findings have stronger support•Yellow Book Compliant

Data Analytics: Myths and Realities

25

Examples of Questions

26

27

28

Anticipated outcomes of transaction oversight:

Strengthening internal control monitoring over the program.

Identifying potential and actual card misuse.

Reducing program financial exposure.

Identifying policy flaws like organizational-wide, office, or individual training gaps.

Identifying opportunities to use BPAs and standardize equipment purchases to reduce costs.

Supporting assurance over purchase card reported data.

Outcomes

29

Data analysis allows us to build a high risk cardholder profile by identifying cardholders that appear to be untrained, prone to abusing or misusing the card, or who potentially make fraudulent purchases.

Warning Signs:

Has the cardholder account been closed? Has a new card been re-issued more than once?

Has the cardholder allowed others in the office to use their card for making purchases (i.e., while on leave)?

Is the cardholder unable to provide proof of purchase such as receipts?

Do the items purchased support mission need?

Cardholder High Risk Factors

30

Examples of Management Control Indicators:

• Too many cardholder accounts per Approving Official– Management goal is no more than 7 cardholders for each Approving Official.

• Too many transactions per Approving Official– Management goal is no more than 300 transactions for each Approving Official.

• Approving Official transaction reviews are accomplished in either less or more time than expected.

• Purchase Card spending limits are all set to the maximum when actual purchase amount is significantly less.

• Purchase Card is assigned to an office or group of individuals instead of a specific person.

Activities Targeted - Management Controls

31

Examples of transaction indicators used to identify high risk transactions include but are not limited to:

Repetitive buying pattern of even dollars, near purchase limits, or same or similar vendor name.

Fewer than 5 cardholders using a specific vendor.

Purchases from non-standard vendors.

Purchases that happen on weekends, holidays, or when the cardholder is on leave or TDY.

Items purchased exceed requirement or authorization documents, or have questionable value for user.

Activities Targeted - Examples

Automated reviews will promote advanced monitoring and strengthen the internal control environment by:

Supporting improved compliance with existing requirements.

Defining new rules and related controls based on results of analysis.

Assisting in the development of continuous monitoring procedures to mitigate future fraud, waste and abuse.

Producing on-going analysis, reports, metrics and other timely data to evaluate and manage the Purchase Card program.

Identifying vendors, cardholders, approvers, and types of transactions to target with increased scrutiny.

Future Action to Reduce Risk

Improve reporting efficiency by:

Facilitating a sustainable process of continuous routing and monitoring of high risk transactions with limited manual intervention.

Assisting in managing, tracking and documenting exceptions.

Documenting and providing results to all layers of management via reports and dashboards.

Informing needed adjusts to rules, policies, and procedures based on results.

Future Action to Reduce Risk

34

Q&A

35

Contact Information:

Melanie Rowley, CISA, PMP202-649-0691melanie_rowley@ACL.com

Bill Kelley, CISA, CISM (714) 273-4057bill.kelley@datawhispers.com