I continue my exploration of the use of data analytics in a best practices compliance program. Today we look at how data analytics can be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third parties. A vast majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company and is not a sham.
I asked Joe Oringel, co-founder and Managing Director of Visual Risk IQ, how data analysis might help a Chief Compliance Officer (CCO) or compliance practitioner detect such conduct and also move toward preventing such conduct in the future. Oringel described different case studies from his organization’s clients where they used data analysis on accounts payable invoices and how that experience can be used to formulate similar data analysis for a CCO or compliance practitioner. There are a number of more complex analytics that can be run in combination to identify suspicious third parties, and some of the simplest can be to look for duplicate or erroneous payments.
Oringel said that a key to moving from detection to prevention is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at a time for errors or overpayment. Changing this from a one-time annual or biannual event to something that is done daily or weekly dramatically changes the value of such internal controls. This more frequent, preventative analysis is integral to the foundation of how Visual Risk IQ works with many of its clients. While the company does perform periodic look-back audits, it also works with technology to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.
Oringel provided several client examples where duplicate invoices had been submitted but were not immediately caught. In one instance, Invoice No. 0000878-IN, was paid for $1,617.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded without the hyphen and was not detected by the system of controls. The problem was that it was the same invoice with slightly different writing on the face of it, and both were scanned into the company’s imaging system and queued for payment. The Visual Risk IQ’s team used data analysis to locate such overpayments, and to identify that the second payment should not be made because it is a match of one that had been previously approved.
In another example, Oringel detailed a query which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. He gave an example where a duplicate payment of more than $75,000 was made. One payment in that amount was made to a law firm named ‘Kilpatrick Stockton’ and the second was made to a different vendor, the law firm ‘Kilpatrick Townsend’. Oringel and his team recognizing that these were related entities, even though they had been established as different vendors in the vendor master. Because of the amount and the date were similar enough as detected by data analysis, the invoices warranted a human inspection.
Oringel said such an inquiry could also be used to test in other ways. He posed the example if a “vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person. They share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paolo.” He noted that until you inspect the other demographic information about your vendors, consultants or third parties and compare them to watch list individuals, you just do not know. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to researched individually.
One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, he has seen data analytics uncover overcharges and fraudulent billings. Oringel said that continual transaction monitoring and data analysis can prove its value through more frequent review, including the Hawthorne effect which states that individuals tend to perform better when they know they are being monitored.
Oringel emphasized that the techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments “not only by day or by month, but also by vendor or even by employee who may have keyed the invoices” into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. Oringel stated, “That’s the value of analytics. Analytics allows us to sort and resort, combine and aggregate, so that patterns can be investigated more fully.”
This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.
[View source.]
