I continue my exploration of the use of data analytics in a best practices compliance program. Today we look at how data analytics can be used to help detect or prevent bribery and corruption where the primary sales force used by a company are its own employees. Several significant corruption actions in China, involving both the Foreign Corrupt Practices Act (FCPA) and Chinese domestic law, involved China based employees defrauding their company by using false expense reports to create a pot of money to use as a slush fund to pay bribes. Here you can think back to the Eli Lilly FCPA enforcement action from 2012 up to the 2014 GlaxoSmithKline Plc (GSK) problems as examples of where employees used their expense accounts not for personal use but for greater corporate malfeasance.

I asked Joe Oringel, co-Founder and co-Principal of Visual Risk IQ, how data analysis might help a Chief Compliance Officer (CCO) or compliance practitioner detect such conduct, and also move towards helping prevent such conduct in the future. Oringel related case studies from his organization where they used data analysis to review employee expense reports and how that experience can be used to formulate the same type of data analysis for a CCO or compliance practitioner.

As discussed earlier in this series, Visual Risk IQ recommends by beginning with brainstorming. This step includes understanding an organization’s Procurement and Travel & Expense policies, and asking questions about how those policies can be circumvented. One common technique that takes place is to split larger purchases across multiple smaller transactions, so their organization has designed their data analytics queries to detect such split transactions.

In the example we discussed, Visual Risk IQ’s client uses procurement cards (P-cards) for certain low dollar-value expenses. The Company has a procurement card limit for most employees in their organization, which is $3,000 for a single transaction and $10,000 in aggregate spend for a single month. The Company wanted to identify any use of P-cards for larger dollar transactions that may have required capitalization as fixed assets, in addition to identifying inappropriate or personal purchases. Through the use of data analytics, Oringel shared how his team identified the purchase of a $9,500 computer system, but that an employee had split the purchase into multiple invoices across multiple days using one invoice per day from the same computer vendor. The transactions looked like these listed below:

In total, the five transactions easily circumvented the organization’s $3,000 single transaction limit and their capital expense limit as well. The single computer system purchase was with the same merchant but split across multiple days and invoices. Clearly this series of transactions was a problem.

Oringel contrasted the above example with a similar issue they identified related to split transactions. The organization had an employee who was responsible for maintaining and scheduling a fleet of over 100 vehicles. One of the responsibilities was paying various bills related to the vehicles, including the State Department of Motor Vehicles, and the taxes billed individually per car. Visual Risk IQ wrote queries, similar to those that identified the inappropriate computer system purchases, and identified this employee as one who routinely exceeded the P-Card’s single transaction limit with the same vendor when multiple transactions in a month were evaluated together.

Their split limit query identified that this employee often completed multiple transactions with the same vendor, the State Department of Motor Vehicles, on the same day. However the “aha!” moment was quite different than the employee splitting transactions to purchase items above her limit in violation of the company policy. Here Visual Risk IQ’s data analysis demonstrated that those transactions were not fraudulent, improper or inappropriate, rather, the employee’s spending limit needed to be raised because the card was being used as intended, and this employee had more spending responsibilities than most others in the organization. There were benefits to paying the tax bill via P-Card, but the organization had set her spending limit before vehicles were managed centrally, so with the larger fleet and central management of vehicles, the organization needed to raise her spending limit specifically for that vendor. For other transactions, she would have the same transaction limits as other employees, but because her responsibilities involved registering so many vehicles, Visual Risk IQ recommended that the root cause be remediated by changing some of the controls in place.

Another area that Oringel and Visual Risk IQ have focused on is travel and entertainment (T&E). Oringel advocates using analytics to identify out-of-policy expense reports and out-of-compliance expenses. This is achieved by using similar logic, as noted above, for accounts payable and when used on employee expense accounts Oringel said that it is often called “double dipping”. This means an expense is recorded once on a T&E report and then a second time on another expense report or a P-card charge or other type of expense. These are examples that can be uncovered with data with analytics and from there you can move to determine if they might be an intentional, as opposed to an unintentional, mistake.

In the case of double dipping, Oringel said a key is to look for the same airfare or hotel or meals, perhaps being reported on multiple employees’ T&E expense reports. He gave the following example, “An employee takes another employee out for a business meal; and they pay for the meal on one expense report, all while, at the same time, the coworker records the meal, same day, same city, and claims that employee as one of their attendees. We find these sorts of situations with our analytics, and these are clear examples of suspicious transactions that ought to be discussed with both employees”

Other examples of double dipping include duplicate transactions between meals and per diem allowances, or mileage and company vehicles or rental cars. Oringel noted those are all things that can be identified with data analytics that are very difficult for an individual approver to see on a single expense report. He cautioned it is not that the approver is not doing a good or prudent job, “but typically, when you’re tasked with approving an employee’s expense report, what we have is just their single report in front of us. It’s difficult to recall who would have submitted a report one or two months ago, and it’s very possible that somebody submitted an airplane ticket when the ticket was purchased, and then six weeks later when they took the trip, that air expense could be reported a second time.”

Oringel said the same issue could arise with P-card purchases if you have an approver considering a single $2,500 purchase who approves that purchase on Monday and then again on Friday. Yet had those two transactions been on the same day, in excess of the employee’s spending limit, the approver might not have approved both of them, but because they were submitted on different dates, it may well appear to the approver they were two separate transactions. With data analytics, Oringel and Visual Risk IQ is able to aggregate those multiple trip or P-card reports into a single screen or report, to help a reviewer or an approver determine whether the transactions meet employees’ policies, both individually and in the aggregate.

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.

Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

[View source.]