Fraud lurks: IT employee working on serversThis month’s Fraud Lurks centers on your ability to discover fraud early, thereby limiting your exposure. Certainly, the primary goal is to prevent fraud from occurring; we have covered that fairly comprehensively in previous articles relating to control procedures emanating from a thoughtful Risk Assessment.  However, if a fraud has been initiated, you must act to identify the methodology and, of course, the perpetrator.

All companies have tremendous amounts of data stored in their IT systems and most, if not all, underutilize the value of accessing this data.  This month’s article will feature data mining capabilities, providing two examples of potentially valuable features.

Technical data mining definitions abound, but essentially data mining is analyzing large databases in order to extract information.  For example:

I was tangentially involved with a task force charged with determining if US Navy retirees receiving pension checks were actually entitled to continue receiving them. The Navy Finance Center had already instituted certain controls including:

  • Running all Social Security Numbers of retirees looking for duplicate SSNs. This yielded very little as these controls had previously been implemented. Still, it was beneficial to know the controls were effective.
  • Requiring the retiree to personally appear with appropriate identification and sign for his / her retirement check every 18 months. Keep in mind, Navy retirees are domiciled all over the world.  This control was effective in identifying deceased retirees, whose relatives “forgot” to advise the Navy.

Still, the powers that be thought there might be additional steps they could take.  The decision was made to compare SSNs again, this time sorting to see if eight of the nine digits were identical.   It could be coincidental (quite a few exceptions were exactly that) and it could be the SSN was input incorrectly, later corrected, but the original incorrect number was not removed from the system, thereby resulting in two checks being sent to the retiree.

What seemed unlikely proved to be the case in dozens of instances although I did not have clearance to access the details. I was told however, one was a multi-star Admiral who, because of his rank, was not going to be brought up on charges. Rather, the duplicate payments were stopped and the Admiral was ordered to make restitution.  His response was “How can I make restitution, you just cut my income in half.” – I guess that’s how you get to be an Admiral.

Of course, no one reading this has the number of employees of the US Navy.  Entrepreneurs at one time likely knew all their employees.  But as your company grows, has multiple locations, employs remote workers, etc. are you certain you are not paying “ghost” employees?   Data mining searches can help including:

  • Duplicate addresses
  • PO Box address
  • Duplicate / common SSNs

Another type of data mining control is known as Benford’s Law.  It should really be known as Newcomb-Benford’s law as Simon Newcomb discovered the “law” some 50 years earlier in 1881, but Frank Benford refined and published it in 1938. Benford’s Law is odd, unusual and actually holds true.

Because research shows this article has reached the capacity for maintaining interest of the reader, Newcomb-Benford’s law will be the subject of next month’s article.  I love a good cliffhanger!

As always, if HW&Co can assist you with Risk Assessment, Control Procedures or Data Mining, contact me or your HW&Co. executive.

Stanley Olejarski