Presentation is loading. Please wait.

Presentation is loading. Please wait.

Taking the Right Steps to Integrated Data-Driven Oversight Leveraging Data to Monitor Fraud, Waste and Abuse Melanie Rowley, CISA PMP ITIL, ACL Services.

Similar presentations

Presentation on theme: "Taking the Right Steps to Integrated Data-Driven Oversight Leveraging Data to Monitor Fraud, Waste and Abuse Melanie Rowley, CISA PMP ITIL, ACL Services."— Presentation transcript:


2 Taking the Right Steps to Integrated Data-Driven Oversight Leveraging Data to Monitor Fraud, Waste and Abuse Melanie Rowley, CISA PMP ITIL, ACL Services Bill Kelley, CISA CISM

3 Reporting and Analytics – Process Overview 2 Reporting and Analytics Function DriversUses/Users Example Standard Reporting A-123/133 Compliance Spend Analytics Fraud, Waste, and Abuse Tax Recovery Example Ad-hoc Reporting IG – All card activity data; Contract award Data GAO – Small Business Purchases; Identified fraud Issues by location OFM – Off-hour purchases; Cash Payments without documentation Ass’t Secretary – Best Price Purchases; Purchases to Green Vendors USES Fraud and Accountability Card Program Management Transition Management Training, Learning, and Development Risk Management Fraud, Waste, and Abuse Detection and Prevention Performance Measurement and Benchmarking Tax Exemption and Recovery Spend Analysis and Strategic Sourcing Research and Intelligence USERS Revenue/Tax Audit Retirement Managers Human Resources Program Managers Feedback Input from Various Sources

4 End to End Process for Grant Oversight Funding Over Time Conflict of Interest False Statements False Certifications Duplicate Funding Inflated Budgets Candidate Suspended/Debarred Unallowable, Unallocable, Unreasonable Costs Inadequate Documentation General Ledger Differs from Draw Amount Burn Rate No /Late/Inadequate Reports Sub-awards, Consultants, Contracts Duplicate Payments Excess Cash on Hand/Cost transfers Unreported Program Income No /Late Final Reports Cost Transfers Spend-out Financial Adjustments Unmet Cost Share PRE-AWARD RISKSACTIVE AWARD RISKS AWARD END RISKS Dr. Brett M. Baker, 2010 6 3

5 Reasons Oversight Is Not Always Effective  Not adequately verifying—drive bys  Tend to avoid conflict with people  Education—fraud detection not taught in school  Pressure to finish audits  Auditor vs. investigator—auditors have bias toward documents while investigators have bias toward witnesses  Don’t understand business operations and impact of control weaknesses  Not talking to lower level personnel  Warning signs not recognized

6 Reasons We Miss Inappropriate Transactions When We Get Data  Poorly defined scope  Data acquisition  Manually maintained data  False positives  Lack of familiarity  Data storage systems  Software systems  Organizational processes  Lack of support from Sr. Leadership

7 FRAUD ENABLERS Defensive Posture Expanding Ranks of Fraud Mobsters Fragmentation Lack of Law Enforcement Coordination Unlimited Opportunities “Cost of Doing Business” Mindset Lack of Awareness at Executive Levels Minimal Deterrent 6

8 Framework for Aggressive Active Oversight Data analytics-driven, risk-based methodology to improve oversight  Identify institutions that may not use Federal funds properly  Techniques to surface questionable expenditures Life cycle approach to oversight  Mapping of end-to-end process to identify controls  100% review of key financial and program information  Focus attention to award and expenditure anomalies Complements traditional oversight approaches  Techniques to review process and transactions are similar  Transactions of questionable activities are targeted 7

9 Things to Talk About  Use analytics software to track and document results of identified high risk transactions selected for further review and investigation  Carry out the auditor’s responsibility for assessing fraud risk factors and evaluating internal controls and standards  Management can and should use similar methods to conduct reviews to meet internal control standards and the associated 17 internal control principles  Demonstrate the types of evidence-gathering techniques used to identify anomalous behavior by individuals, business units, components, or the organization 8

10 Risks Concepts 9

11 When you press …………. And money comes out We need to mitigate our risk 10

12 The following areas are problematic and may occur in various combinations:  Individual Use Purchases – Purchase of vehicles, vacation trips, TVs, clothes, stereo systems, and jewelry.  Vendor Fraud – Vendors will charge additional fees for services previously paid and the charges will go unquestioned.  Employee Conspiracy With Vendor - Employees receiving kickbacks in the form of vacations, gifts, and other by manipulating refunds/credits or making excessive purchases. Vendors will share profits with conspiring employees.  External Fraud - Organized crime and individual fraudsters will commit fraud using compromised cards in similar ways to methods used against non-government cardholders with the key difference that the government is self-insured.  Other – Includes year-end spending rush and stockpiling issues, supervisor pressure, and expediting mission by circumventing laws and regulations (i.e. repeated split purchases). Areas of Concern When the Money Button is Pushed 11

13 What does Fraud have to do with Terrorism? 12

14 Everything isn’t always what it seems to be! Anomalies Happen 13

15 Common Sense Patterns If it does not make sense… It is not normal… It seems unusual… Too coincidental… Too frequent… There is no right answer There is no wrong answer Merely an interpretation in context 14

16 Too Much Commonality Many patterns are exposed due to repeating behaviors Too many commonalities may indicate organized behaviors Subjects perpetrate the same crime at different financial institutions Only minor changes in their underlying Modus Operandi (MO) Too Much Commonality 15

17 GAO: Questionable Debit Cart Charges GAO examples of “questionable” charges for use of debit cards 16

18 Doctor Shopping Pattern Target suspect is related to multiple doctors for the same prescription-types SUBJECT PHYSICIAN-C PHYSICIAN-D PHYSICIAN-E PHYSICIAN-F PHYSICIAN-G PHYSICIAN-A PHYSICIAN-B 17

19 Multiple Pharmacy Usage Target suspect uses multiple pharmacies to fill his prescriptions SUBJECT WALGREEN DRUG STORERITE-AID PHARMACYECKERDGIANT PHARMACYACME PHARMACYCVS PHARMACY The structure of this pattern is virtually identical to the doctor-shopping pattern 18

20 19 The Five Standards for Internal Control Monitoring Control Activities Risk Assessment Control Environment Information Communication 19


22 Independent checks Approval Summarization Safeguards over access and use Segregation of duties Authorization Design and use of documents and records Control Techniques 21

23 Establishing Partnerships Agencies need to establish partnership roles – Data Repository – – Selection Criteria – – Data Analysis and Coding - – Field Research – – Analysis of Results – – Improve Process - 22

24 Data Analytics Help…. Determine reliability data fields  Shape of the data (statistics)  Completeness of transactions and fields Show anomalies….  within a database  between databases  and changes in behavior over time Develop risk profiles for comparisons  Awardee profiles  Award-type profiles  Program profiles 23

25 MYTHSREALITIES Data only, no fieldwork Numbers exercise To many false/positives Process changes data Findings unsupported No testing controls Not auditing Focuses fieldwork Still test support with traditional techniques Source data not changed Findings have stronger support Yellow Book Compliant Data Analytics: Myths and Realities 24

26 25 Examples of Questions

27 26

28 27

29 Anticipated outcomes of transaction oversight:  Strengthening internal control monitoring over the program.  Identifying potential and actual card misuse.  Reducing program financial exposure.  Identifying policy flaws like organizational-wide, office, or individual training gaps.  Identifying opportunities to use BPAs and standardize equipment purchases to reduce costs.  Supporting assurance over purchase card reported data. Outcomes 28

30 Data analysis allows us to build a high risk cardholder profile by identifying cardholders that appear to be untrained, prone to abusing or misusing the card, or who potentially make fraudulent purchases. Warning Signs:  Has the cardholder account been closed? Has a new card been re-issued more than once?  Has the cardholder allowed others in the office to use their card for making purchases (i.e., while on leave)?  Is the cardholder unable to provide proof of purchase such as receipts?  Do the items purchased support mission need? Cardholder High Risk Factors 29

31 Examples of Management Control Indicators: Too many cardholder accounts per Approving Official – Management goal is no more than 7 cardholders for each Approving Official. Too many transactions per Approving Official – Management goal is no more than 300 transactions for each Approving Official. Approving Official transaction reviews are accomplished in either less or more time than expected. Purchase Card spending limits are all set to the maximum when actual purchase amount is significantly less. Purchase Card is assigned to an office or group of individuals instead of a specific person. Activities Targeted - Management Controls 30

32 Examples of transaction indicators used to identify high risk transactions include but are not limited to:  Repetitive buying pattern of even dollars, near purchase limits, or same or similar vendor name.  Fewer than 5 cardholders using a specific vendor.  Purchases from non-standard vendors.  Purchases that happen on weekends, holidays, or when the cardholder is on leave or TDY.  Items purchased exceed requirement or authorization documents, or have questionable value for user. Activities Targeted - Examples 31

33 Automated reviews will promote advanced monitoring and strengthen the internal control environment by:  Supporting improved compliance with existing requirements.  Defining new rules and related controls based on results of analysis.  Assisting in the development of continuous monitoring procedures to mitigate future fraud, waste and abuse.  Producing on-going analysis, reports, metrics and other timely data to evaluate and manage the Purchase Card program.  Identifying vendors, cardholders, approvers, and types of transactions to target with increased scrutiny. Future Action to Reduce Risk

34 Improve reporting efficiency by:  Facilitating a sustainable process of continuous routing and monitoring of high risk transactions with limited manual intervention.  Assisting in managing, tracking and documenting exceptions.  Documenting and providing results to all layers of management via reports and dashboards.  Informing needed adjusts to rules, policies, and procedures based on results. Future Action to Reduce Risk

35 Q&A 34

36 Contact Information: Melanie Rowley, CISA, PMP 202-649-0691 Bill Kelley, CISA, CISM (714) 273-4057 35

Download ppt "Taking the Right Steps to Integrated Data-Driven Oversight Leveraging Data to Monitor Fraud, Waste and Abuse Melanie Rowley, CISA PMP ITIL, ACL Services."

Similar presentations

Ads by Google