Date post: | 13-Dec-2015 |
Category: |
Documents |
Upload: | isiah-darnell |
View: | 214 times |
Download: | 1 times |
Taking the Right Steps to Integrated Data-Driven Oversight
Leveraging Data to Monitor Fraud, Waste and Abuse
Melanie Rowley, CISA PMP ITIL, ACL ServicesBill Kelley, CISA CISM
Reporting and Analytics – Process Overview
•
2
Reporting and Analytics Function
Drivers Uses/Users
Example Standard Reporting• A-123/133 Compliance• Spend Analytics• Fraud, Waste, and Abuse• Tax Recovery
Example Ad-hoc Reporting•IG – All card activity data; Contract award Data•GAO – Small Business Purchases;
Identified fraud Issues by location
•OFM – Off-hour purchases; Cash Payments without documentation
•Ass’t Secretary – Best Price Purchases;Purchases to Green Vendors
USES •Fraud and Accountability•Card Program Management•Transition Management•Training, Learning, and Development
•Risk Management•Fraud, Waste, and Abuse Detection and Prevention
•Performance Measurement and Benchmarking
•Tax Exemption and Recovery•Spend Analysis and Strategic Sourcing
•Research and Intelligence
USERS•Revenue/Tax•Audit•Retirement Managers•Human Resources•Program Managers
Feedback
Input from Various Sources
3
End to End Process for Grant Oversight
PROPOSALSPRE-AWARD
REVIEWAWARD
CLOSE-OUTPOST AWARDCASH
DISBURSEMENTSPAY/ENTITLEMENT
AWARDSOLICITATIONS CASH
REQUEST
•Funding Over Time•Conflict of Interest•False Statements•False Certifications•Duplicate Funding• Inflated Budgets•Candidate Suspended/Debarred
•Unallowable, Unallocable, Unreasonable Costs•Inadequate Documentation•General Ledger Differs from Draw Amount•Burn Rate•No /Late/Inadequate Reports•Sub-awards, Consultants, Contracts•Duplicate Payments•Excess Cash on Hand/Cost transfers•Unreported Program Income•
•No /Late Final Reports•Cost Transfers•Spend-out• Financial Adjustments• Unmet Cost Share
D A T A A N A L Y S I S
PRE-AWARD RISKS ACTIVE AWARD RISKS AWARD END RISKS
Dr. Brett M. Baker, 2010
6
Reasons Oversight Is Not Always Effective
Not adequately verifying—drive bys Tend to avoid conflict with people Education—fraud detection not taught in
school Pressure to finish audits Auditor vs. investigator—auditors have
bias toward documents while investigators have bias toward witnesses
Don’t understand business operations and impact of control weaknesses
Not talking to lower level personnel Warning signs not recognized
Reasons We Miss Inappropriate Transactions When We Get Data
Poorly defined scope Data acquisition Manually maintained data False positives Lack of familiarity Data storage systems Software systems Organizational processes Lack of support from Sr. Leadership
6
FRAUD ENABLERS• Defensive Posture• Expanding Ranks of Fraud Mobsters• Fragmentation• Lack of Law Enforcement Coordination• Unlimited Opportunities• “Cost of Doing Business” Mindset• Lack of Awareness at Executive Levels• Minimal Deterrent
7
Framework for Aggressive Active Oversight
Data analytics-driven, risk-based methodology to improve oversight
Identify institutions that may not use Federal funds properly
Techniques to surface questionable expendituresLife cycle approach to oversight
Mapping of end-to-end process to identify controls 100% review of key financial and program information Focus attention to award and expenditure anomalies
Complements traditional oversight approaches Techniques to review process and transactions are similar Transactions of questionable activities are targeted
8
Things to Talk About Use analytics software to track and document
results of identified high risk transactions selected for further review and investigation
Carry out the auditor’s responsibility for assessing fraud risk factors and evaluating internal controls and standards
Management can and should use similar methods to conduct reviews to meet internal control standards and the associated 17 internal control principles
Demonstrate the types of evidence-gathering techniques used to identify anomalous behavior by individuals, business units, components, or the organization
11
The following areas are problematic and may occur in various combinations:
Individual Use Purchases – Purchase of vehicles, vacation trips, TVs, clothes, stereo systems, and jewelry.
Vendor Fraud – Vendors will charge additional fees for services previously paid and the charges will go unquestioned.
Employee Conspiracy With Vendor - Employees receiving kickbacks in the form of vacations, gifts, and other by manipulating refunds/credits or making excessive purchases. Vendors will share profits with conspiring employees.
External Fraud - Organized crime and individual fraudsters will commit fraud using compromised cards in similar ways to methods used against non-government cardholders with the key difference that the government is self-insured.
Other – Includes year-end spending rush and stockpiling issues, supervisor pressure, and expediting mission by circumventing laws and regulations (i.e. repeated split purchases).
Areas of Concern When the Money Button is Pushed
14
Common Sense Patterns If it does not make sense… It is not normal… It seems unusual… Too coincidental… Too frequent…
There is no right answer
There is no wrong answer
Merely an interpretation in context
15
Too Much Commonality• Many patterns are exposed
due to repeating behaviors• Too many commonalities
may indicate organized behaviors
• Subjects perpetrate the same crime at different financial institutions
• Only minor changes in their underlying Modus Operandi (MO)
Too Much Commonality
16
GAO: Questionable Debit Cart Charges
GAO examples of “questionable” charges for use of debit cards
http://www.gao.gov/new.items/d06844t.pdf
17
Doctor Shopping Pattern
Target suspect is related to multiple doctors for the same prescription-types SUBJECT
PHYSICIAN-C
PHYSICIAN-D
PHYSICIAN-E
PHYSICIAN-F
PHYSICIAN-G
PHYSICIAN-A
PHYSICIAN-B
18
Multiple Pharmacy Usage
Target suspect uses multiple pharmacies to fill his prescriptions
SUBJECT
WALGREEN DRUG STORE
RITE-AID PHARMACY
ECKERD
GIANT PHARMACY
ACME PHARMACY
CVS PHARMACYThe structure of this pattern is virtually identical to the doctor-shopping pattern
1919
The Five Standards for Internal Control
MonitoringMonitoring
ControlActivitiesControl
Activities
Risk Assessment Risk Assessment
Control Environment Control Environment
Information
Communication
21
Independent checks
Independent checks
ApprovalApproval
SummarizationSummarization
Safeguards over access and use
Safeguards over access and use
Segregation of duties
Segregation of duties
AuthorizationAuthorization
Design and use of documents and
records
Design and use of documents and
records
Control Techniques
22
Establishing Partnerships Agencies need to establish partnership roles
– Data Repository – – Selection Criteria – – Data Analysis and Coding -– Field Research – – Analysis of Results – – Improve Process -
23
Data Analytics Help….
• Determine reliability data fields Shape of the data (statistics) Completeness of transactions and fields
• Show anomalies…. within a database between databases and changes in behavior over time
• Develop risk profiles for comparisons Awardee profiles Award-type profiles Program profiles
24
MYTHS REALITIES
•Data only, no fieldwork•Numbers exercise•To many false/positives•Process changes data•Findings unsupported•No testing controls•Not auditing
•Focuses fieldwork•Still test support with traditional techniques•Source data not changed•Findings have stronger support•Yellow Book Compliant
Data Analytics: Myths and Realities
28
Anticipated outcomes of transaction oversight:
Strengthening internal control monitoring over the program.
Identifying potential and actual card misuse.
Reducing program financial exposure.
Identifying policy flaws like organizational-wide, office, or individual training gaps.
Identifying opportunities to use BPAs and standardize equipment purchases to reduce costs.
Supporting assurance over purchase card reported data.
Outcomes
29
Data analysis allows us to build a high risk cardholder profile by identifying cardholders that appear to be untrained, prone to abusing or misusing the card, or who potentially make fraudulent purchases.
Warning Signs:
Has the cardholder account been closed? Has a new card been re-issued more than once?
Has the cardholder allowed others in the office to use their card for making purchases (i.e., while on leave)?
Is the cardholder unable to provide proof of purchase such as receipts?
Do the items purchased support mission need?
Cardholder High Risk Factors
30
Examples of Management Control Indicators:
• Too many cardholder accounts per Approving Official– Management goal is no more than 7 cardholders for each Approving Official.
• Too many transactions per Approving Official– Management goal is no more than 300 transactions for each Approving Official.
• Approving Official transaction reviews are accomplished in either less or more time than expected.
• Purchase Card spending limits are all set to the maximum when actual purchase amount is significantly less.
• Purchase Card is assigned to an office or group of individuals instead of a specific person.
Activities Targeted - Management Controls
31
Examples of transaction indicators used to identify high risk transactions include but are not limited to:
Repetitive buying pattern of even dollars, near purchase limits, or same or similar vendor name.
Fewer than 5 cardholders using a specific vendor.
Purchases from non-standard vendors.
Purchases that happen on weekends, holidays, or when the cardholder is on leave or TDY.
Items purchased exceed requirement or authorization documents, or have questionable value for user.
Activities Targeted - Examples
Automated reviews will promote advanced monitoring and strengthen the internal control environment by:
Supporting improved compliance with existing requirements.
Defining new rules and related controls based on results of analysis.
Assisting in the development of continuous monitoring procedures to mitigate future fraud, waste and abuse.
Producing on-going analysis, reports, metrics and other timely data to evaluate and manage the Purchase Card program.
Identifying vendors, cardholders, approvers, and types of transactions to target with increased scrutiny.
Future Action to Reduce Risk
Improve reporting efficiency by:
Facilitating a sustainable process of continuous routing and monitoring of high risk transactions with limited manual intervention.
Assisting in managing, tracking and documenting exceptions.
Documenting and providing results to all layers of management via reports and dashboards.
Informing needed adjusts to rules, policies, and procedures based on results.
Future Action to Reduce Risk
35
Contact Information:
Melanie Rowley, CISA, [email protected]
Bill Kelley, CISA, CISM (714) [email protected]