Forensic analytics by robin singh 13th iia confrence

Forensic Analytics

April, 2012

Analytics
Forensic
By Robin Singh, CFE, CFAP, CICA
Robin.singh@protivitiglobal.ae
+97150 134 0420

Why is the same supplier winning all the contracts?

Did I receive the same claim last month??

Are my colleagues involved in money laundering?

FORENSIC
ANALYTICS
- MAKING THE DATA TALK

Why… How…When… Where?????
Is this vendor a brother of one of my employees?

IIA Conference
2

Analysis and/or Analytics

Analytics +
Knowledge + Tools

Analytics

Analysis with
Knowledge

Data
Analysis 1
Analysis

Data Set 2

Data Set1

IIA Conference
© 2012 Protiviti Member Firm (Middle East) Consultancy
3
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Straight from the Book

Data Analysis Defined…

Data Analysis is an act of transforming
data with the aim of extracting useful
information and facilitating conclusions.

Forensic Analytics

Forensic Analytics is an science of using
data analysis coupled with forensic know-
how to meaningful facts Using
Technology and knowledge base.

IIA Conference
4

Forensic Analytics in an Organization

Forensic Analytics Methodology

Barriers to Analytics in Investigation/ Litigation Cases

Data Collection and Analytical Techniques in an
Investigation

Social Network Analytics

IIA Conference
5 © 2012 Protiviti Member Firm (Middle East) Consultancy


IIA Conference


Pro-Active Cases Apply Knowledge
(e.g. Profiling) for Control Gaps
Decision etc

False/True Positive
Reactive Cases
Interpret
( e.g. Information
Investigation) Knowledge

Summarize
Data/Reporting

Information
Tools Time

Extraction

DATA

IIA Conference
7

Why Does one need Forensic Analytics

 Investigations
 Dispute and Litigation Services
 Proactive preventive measures
 Deciphering and inferring network
 Finding a needle in a hay stack
IIA Conference

Forensic Analytics Methodology

IIA Conference

Forensic analytics — Methodology
1 2 3 4
Data Forensic Forensic
Data fusion
identification collection analytics

• Mapping of Electronically
Stored Information and • Apply rules-based
paper documents Unstructured detection on 100% of
Structured transaction data to
• Identification of data
structured and data identify anomalies
unstructured data (fraud, threats, etc.)
• Identify relevant third- • Develop statistically-
Transform based models to identify
party data …etc…etc and Load
previously unknown
• Use temporal and patterns
• Collect data using forensic • Optimize anomaly
entity keys to integrate
preservation best practices detection rule sets
structured and
unstructured data through a feedback loop
• Superimpose data sets
to derive context

Cumulative Scores Pattern Detection- Social Analytics

IIA Conference
10

3

Data fusion
Reactive and Proactive Approach to Forensic Analytics
4
Forensic
analytics
Div Sales
Name Amount Employee
ID

Transaction
User Name Transaction
Date
Type

Quantity Customer G/L
Number Account
Price

IIA Conference
11

3

Reactive Approach: Analyse and Interpret : Data fusion
Define Rules based on knowledge and Experience
4

Name
Div Sales
Amount Employee
Forensic
Summarized by Part Number
ID
analytics
Transaction
Date User Name Transaction
Type

Quantity Customer G/L
Number Account
Price

Extensions & Footings Verified

Quantity Excess Inventory

Rules Profile
Part Number
Setting and Subjectivity
Creating Cases
Unit Cost
Profiles
Warehouse Unusual Items
Number

Joining the Dots

IIA Conference

3

Pro-Active Approach: Model and Predict Data fusion
Modeling scenarios
4
Forensic
Name
Div Sales
Amount Employee
ID
analytics
Transaction
Date User Name Transaction
Type

Quantity Customer
Number
Price

Optimization
Number of Claims by Claim Value
£90,000

£80,000

Amount Claimed (DEPENDENT VARIABLE)
£70,000
y = 48.059x + 1215.9
£60,000 2
R = 0.6414
£50,000

£40,000

Quantity £30,000

£20,000

£10,000

Part Number £0
0 200 400 600 800 1,000 1,200 1,400

Number of Claims (INDEPENDENT VARIABLE)

Unit Cost
Rules
Setting Warehouse
Number

Build Models Joining the Dots

IIA Conference
13

Barriers to Analytics in Investigation/ Litigation
Cases

IIA Conference
14

Barriers to Analytics

Cost of inaccurate or careless analytics in complex litigations, disputes, and investigations is very high. In
addition, analytics must be completed in very compressed time frames.

Managing Data from
Understanding various media, communication systems, proprietary systems
Multiple Sources

• The volume of data required;
Data Location & Access • The variety of data types, formats, and sources; and the veracity and
• Accuracy of the data sets.

Data Understanding value to the analysis and lead to wastage of time.

• How was data cleaned and prepare if effectively
Data Preparation
• Consistency

• Data integrity as change controls
Manually Maintained
Data • How was data automated

IIA Conference
15

Data Collection and Analytical Techniques in an
Investigation

IIA Conference
IIA Conference
16

Corporate Investigation Life cycle

SCOPE LAY FOUNDATION DATA COLLECTION & ANALYSIS OBSERVATIONS & RECOMMENDATIONS

Structured Hard Copy

Data
Collection
Referral to
Interview Unstructure Observation
Law Firm
Physical
Informant d

Preliminary
Receipt of Initiate Data
Evaluation Analysis Investigative Recommend
an Scoping Investi Collection Interview
ations Recovery Reports
And Formula gation Findings
Allegation
the Allegation

Corroborate
Allegation Evidence
with Surreptitious Video Documentation Corrective
Contacts Monitoring Action
Research
and Available Covert
Data Activity

Surveillance Spyware

IIA Conference
17

Forensic analytics is a
medium / mechanism
(JOURNEY) and NOT
the end result

IIA Conference
18

Case I: Scenario

XYZ Entity Allegations:
Irregularities in the areas of:
• Inventory Loss
• Vendor Payments (Kickbacks)
• 3 key Employees’ Expense
Anonymous Email Reimbursements

Conduct investigation of the allegations at its Subsidiary Companies and HO

IIA Conference
19

Case I: Data Acquisition

Some Key Definitions:
 Digital Evidence
- Binary Format, relied in the court of law
 Original Digital Evidence
- Electronic Equipments associated during the time of seizure
 Duplicate
 Copy
 Chain of Custody (COC)
- Where?
- When?
- Who and Whom?

In this engagement we had collected about 2 TB of data
(Structured as well as unstructured )
IIA Conference
20

Case I: Data Acquisition

Safe Acquisition Methods:
1. Restrict Access
2. Forensic Duplication (1:1 bitwise);
3. No Changes to Hash value;
4. Use read-only equipments (Write-blocker);
5. Chan of Custody to be maintained
6. Recording and labeling
7. Ant-Static plastics storage
8. Shock proof – bubble bag while
Remember: If
transportation computer is off do
not turn it on, If on
9. Away from wireless devices
then unplug

IIA Conference
21

Case I: Some Analytical Results- Joining the Dots

ppp
ppp

pppQQ
pppQQ

RRR
RRR
RRR
Type ID Name Address Telephone
Vendor V83586 XYZ ltd 3/54 Temple Street (9564 31111
Elwood VIC 1111

Employee E41121 ABC 3/54 ST ELWOOD 9564 1156 11
VIC 1111

Vendor V23422 Jazz Something

Employee E11051 Fazz Dumpling

Vendor EXEC02 Mazz Maple Road 9682-0733333

Employee VISD00 KAZZ Apple Pie 9682 07333333

IIA Conference

Case I: Understand, Interpret and Optimize
Windows System Logs feature details of events fired on the system

Increased complexity with log files getting converted to flat files

IIA Conference
23

Case I: Understand, Interpret and Optimize- Joining the Dots
Data converted into usable information

Final Result

IIA Conference
24

Case I: Some Analytical Results

Application of Benford’s law –
Expense Claim

% of occurrence

First two digits of Invoices Amounts

IIA Conference
25

Case I: Deriving Relation- Joining the Dots

Inventory Theft

Can you take the words for whistle blower as a gospel truth? Let’s Verify

IIA Conference
26

Case I: Vendor Fraud Risk Profiling

IIA Conference
27

Case I: Altered payee

The bank account details in payment transactions differs from the bank account set
up in the vendor master

IIA Conference
28

Case I: Summary of Findings Handed over to the Investigator

 Fuzzy Duplicate Invoices;
Allegations:  Fuzzy Address Match on selected vendors indicating 2
Irregularities in the
companies operating undertaking under two different
areas of:
• Inventory Loss banners ;
• Vendor  Mr. X and Mr. Y filing duplicate expense reimbursement;
Payments (for  Price fluctuation for particular vendors for goods sold at unit
Kickbacks)
price;
• 3 key
Employees’  Correlation between shift manager of an inventory vs
Expense inventory leakage at a shift from 5-7p.m;
Reimbursements  Vendor profiling reflecting number of failed test fro XYZ and
KLM; and
 Altered Payee ( Who s the payment gong to?).

IIA Conference
29

Social Network Analytics

IIA Conference
30

Social Networking Analytics

Social network analysis [SNA] is the mapping and measuring of relationships and flows between
people, groups, organizations, computers, websites, and other connected information/knowledge
entities.

These measures give us insight into the various roles and groupings in a network -- who are the
connectors, mavens, leaders, bridges, isolates, where are the clusters and who is in them, who is in the
core of the network.

IIA Conference
31

Social Networking Analytics

Key stages of the process will typically include:

• Identifying the network of people to be analyzed (e.g. team, workgroup,

department).

• Gathering background information - interviewing managers and key staff to

understand the specific needs and problems.

• Formulating hypotheses.

• Mapping the network again after a suitable period of time.

IIA Conference
32

Case II:

Background Areas Of investigation
– Allegations of lottery insiders/retailers
– A listed on the XYZ stock exchange , is a
winning far too frequently over 9 years
lottery company.
XYZ Listed
Company

– An anonymous Email was received – Issues with non-winning tickets being
alleging certain financial irregularities . printed as winners

Anonymous
Email

Assist client by reviewing 9 years of lottery data to determine if
anomalies exist that may identify patterns of inappropriate ticket
transactions by ticket retailers
IIA Conference
33

Case II:
The data speaks for itself – leveraging analytic insights

Forensic Analytics Insights Result
 Six separate segments emerged,
6 1 each representing a distinctly different set
characteristics.
4 2  Management can:
• identify those clusters exhibiting higher
3 patterns of inappropriate activities

5 • identify more effective placement of lottery
devices; etc
 Graphical Representation

• Defining the set of rules is a
critical task of any
engagement- Forensic
Rules Analytics
• How many people using the
same terminal

IIA Conference
34

Case II:
Predictors of fraud – getting granular changes the rules and the outcome

• Analysis revealed that designing Rule to indicate
fraud thresholds are more complex than one potential fraud
thinks in the commencement of an
engagement.
• Define True Negative

• Define True Positive True-positive
transactions

IIA Conference
35

Case II
A comprehensive view of relationships and superimposing
structured and unstructured data
Deletion stub analysis for e-mail box

Number of e-mails deleted
Date

• We carried out an analysis on suspicious
– The basis for the relationship mapping was persons’ email deletion dates to identify
the signatory of a XYZ contract activities requiring additional investigation

IIA Conference
36

Case II: Summary of Findings Handed over to the Investigator

Allegations:  Cluster formation indicates nearly 33% of them were insiders
– Allegations of over the period of 9 years
lottery
insiders/retailers  Social network interaction analysis and emails reflect
winning far too possible collusion between the retailers and the insiders
frequently

– Issues with non-  List of individuals who are currently in the company using
winning tickets these terminals
being printed as
winners

IIA Conference
37

Lets Discuss

IIA Conference
38 © 2010 Protiviti Inc. ©2009 Deloitte Haskins & Sells
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Forensic analytics by robin singh 13th iia confrence

Recommended

Recommended

More Related Content

Similar to Forensic analytics by robin singh 13th iia confrence

Similar to Forensic analytics by robin singh 13th iia confrence (20)

Recently uploaded

Recently uploaded (20)

Forensic analytics by robin singh 13th iia confrence