Big risks, big data – and big decisions for the board
No organization is immune from fraud and abuse. In the worst cases, they can decimate companies, irredeemably damage corporate reputation or lead to jail terms.
In the current global business environment, data analytics, technologies and surveillance monitoring techniques are powerful tools to mitigate fraud and corruption, improve corporate decision-making and help gain a competitive edge.
Big data is no longer just a sales and marketing subject for the boardroom. It’s becoming more relevant to an organization’s anti-corruption, anti-fraud and cyber risk assessment processes.
In EY’s Global Forensic Data Analytics Survey 2016, involving 665 mid- to large-size companies, cyber breach or insider threat was identified as the top fraud risk concern. Sixty-two percent of respondents agreed that over the past two years, their level of concern regarding these risks had increased. Bribery and corruption risk followed, with 44% noting an increase in concern. Notably, 26% reported that the risk of financial statement fraud had also increased over the past two years.
As data continues to amass at exponential rates, an effective analytics governance structure must stand as a foundational pillar in the construct of modern risk management. Sophisticated answers are needed for complex risk questions about the business, its employees and the third parties with which organizations interact.
Increasingly, information and insights relevant to corporate boards are moving beyond traditional transactional data extracted from the company’s general ledgers and on to new sources, which can include emails, social media, video, and voice and text messages that help investigators understand the who, what, when, where and why related to key risks or events. This mountain of vital but unstructured data is often overlooked in traditional risk and internal control processes.
Challenges, risk areas and corporate investment
Directors increasingly recognize the value of big data and what they can “refine” to improve decision-making. They understand the importance of a more comprehensive approach to anti-fraud data mining and analysis.
Forensic data analytics refers to the ability to collect and use data, both structured (e.g., general ledger or transaction data) and unstructured (e.g., email, voice or free-text fields in databases), to prevent, detect, monitor or investigate potentially improper transactions, events or patterns of behavior related to misconduct, fraud and noncompliance issues.
Using better analysis to monitor and test compliance creates a cycle of enhanced adherence to company policy, improved fraud prevention and detection, and additional transparency for key stakeholders.
Given the recent focus on cyber fraud, it is not surprising that our survey found the primary drivers in companies’ investment in forensic data analytics were in response to growing cybercrime risks, with 53% of respondents indicating cybercrime was one of their main reasons for increasing investment. Most notably, increased regulatory scrutiny was mentioned by 43% of the respondents. Pressure from the board or management team was mentioned by 31%.
Leveraging analytics as a risk mitigation strategy to address anti-fraud is a senior management topic. Seventy-four percent of C-level respondents agreed that they need to improve their current anti-fraud procedures, including the use of forensic data analytics tools.
Integrating advanced techniques as part of a robust anti-fraud program or investigation enables chief compliance officers, general counsel and chief audit executives to be more proactive in their queries. For example, compliance teams can now use big data to identify possible areas of concern by:
- Showing high-risk vendors, with multiple fraud risk indicators in accounts payable
- Matching identified vendors to international sanctions databases and adverse media databases
- Showing local office employee travel and entertainment expense outliers and anomalies
- Searching email and other communications where sensitive words or confidential information are mentioned
- Showing data network traffic and access logs and tracing to proper access controls
Data intelligence that comes from outside conventional sources and practices strengthens the process. For instance, it isn’t enough to rely on company policies and procedures to root out business corruption or fraud. Management also needs to incorporate tests of transactions and events, integrating multiple data sources with leading surveillance monitoring and risk-ranking techniques.
Those new techniques can broaden the pool of available information and focus on the key risk areas. Structured information is still the predominant source of anti-fraud and corruption insights during the risk assessment process, as the majority of all materials gathered continues to come through structured means such as standard business ledgers, accounts receivable and so on.
But unstructured sources can add depth, breadth and nuance to the assessment process, either in detecting existing fraud or building a strong defense against potential misbehavior.
For example, consider an employee making negative comments about his or her employer, spreading company misinformation on Facebook or LinkedIn, or including suspicious language in a payment or entertainment expense entry. Likewise, text messages are a fast and easy communication channel, but they are also a rich potential repository of valuable information around key events, the company’s culture, corrupt intent or employee sentiments.
With big data, the search for relevant information also can extend to external sanctions and watch-list databases to help companies understand who they are doing business with, particularly with respect to ties to state-owned entities or government restricted lists.
Not all of this information will be relevant to the fraud risk assessment, and data privacy considerations are also an important consideration; but all of it is becoming more widely available as technology and big data processing capabilities improve.
Questions for the board and audit committee to consider
- Beyond compliance policies, training and education, what is the internal audit or compliance department doing to test the effectiveness of the controls in place?
- Does the board receive periodic updates from internal audit or the compliance department on the results of these tests?
- Has management communicated to the board if the monitoring activities conducted are relying on simple rules-based tests derived from traditional internal audit procedures, or does it incorporate multiple data sources, data visualization, text mining and targeted anti-fraud, anti-corruption and cyber-specific tests?
What the board should be doing
— what kinds of analytics are in use or being developed, to what extent is internal audit involved in the use of data analytics, what type of resources are being applied, and how are traditional methods supplemented by more advanced techniques?
For their part, board members should request clarity of vision and collaboration across all disciplines to maximize the return on any data analytics investment. They also should regularly ask management about the resources being deployed and whether the company has the best talent in place to draft and execute a high-quality analytics program.
Better systemic anti-fraud safeguards may take time to implement, and not every director is likely to be on the same page in terms of cost and how best to direct management’s use of analytics. Older, more established organizations might be resistant to sweeping changes in the amount of data that must be collected and assessed.
But as long as directors are driven by three key considerations —the opportunity, the value and how the value will be linked to the strategic plan — they’ll be moving in the right direction, especially when demonstrating a strong corporate culture of ethics and compliance.
With increasing regulatory scrutiny and shareholder activism, the cost of getting it wrong is too high to ignore. As they face growing severity of fraud risks and more rigorous and extensive oversight from regulators, directors are beginning to better understand what is needed, what is lacking and their role in assisting management in using data analytics as a risk management tool.
It may not be enough to hear that the company has conducted selected training, repeated last year’s tests and/or reviewed anti-fraud policies — especially when the company is in a highly regulated industry or expanding in emerging markets.
This article was also featured in the NACD Directorship magazine.