When agencies use data analytics to inform fraud assessments, they can target their approach and increase their value‑for‑money proposition.
At QAO, we use analytics to target our work. It provides unique and timely insights into organisational relationships across large datasets. Analytics helps us identify outliers and unexpected changes in trend data, and undertake some forensic procedures around fraud risks. This means teams can cover a greater percentage of the population in a reduced amount of time.
For example, analytics can help us identify suspicious activities or anomalous transactions, risks of particular vendors, or targeted testing of operational ‘hot spots’.
Why is using analytics to inform fraud assessments important to my organisation?
Unfortunately, we continue to find weaknesses in agencies’ internal controls that increase the risk of fraud. Over the last couple of years, we have also seen an increasing number of attempts to defraud government entities by changing vendor and employee bank account details, and lodging fraudulent claim forms.
Agencies can use analytics to gain insights in a similar manner to us; but they can also use it in a targeted and deeper manner to identify fraud risk events quickly and cut-off fraudulent activity. Agencies can use analytic results to inform ongoing development of fraud and corruption control programs, improve service delivery, and better direct investment.
How can I improve my capability to identify fraud and fraud risks?
Most agencies already hold rich information that they can match to other internal sources, or external databases, to inform their fraud risk assessments. Non-financial information, for example, can provide unique insights when paired with other information, such as matching allowance claims with events (like weather events).
But analytics doesn’t have to be complex. Agencies can start small, by:
- testing rules—does a population follow a rule? For example, do certain events or transactions need a particular level of approval, such as where external client visits can only be approved by managerial level or above within that team
- understanding populations—do you know when certain transactions are undertaken, processed and by who? Does this make sense to you?
At QAO, for example, an audit may compare:
- bank account details of vendors, grantees and employees to identify matches that can help inform probity assessments
- employee details against public databases, such as the Australian Business Register, to identify which employees are selling goods or services to an organisation
- vendor bank account details, addresses and directors to identify related entities when assessing responses to tender requests
- overtime and allowance claims, possibly against known events, to identify trends and expectations
- vendor payment frequency and amount to identify unexpected results.
These comparisons provide a starting point for greater fraud mitigation activities.
How do I access the right information and perform this analysis?
Agencies can access public information, such as the Australian Business Register, Australian Securities and Investments Commission company databases and Australian Bureau of Statistics databases, to match with data they already own. There are a variety of publicly available tools agencies can use to build analytical capability and repeat analysis on a regular basis.
What do I need to do now?
Agencies should act on this information in a timely and considered manner and build it into business‑as‑usual processes. This doesn’t mean a big-bang approach:
- Revisit your agency’s data strategy and system of data governance.
- Use our toolkits (which we have outlined below) or other procedures to identify which areas in your business are the most susceptible to fraud and corruption.
- Undertake a cost-benefit analysis to build an appropriate level of sophistication into your agency’s fraud analytics capabilities.
- Incorporate any improvements into your agency’s data governance processes and strategy.
- Remember that infrastructure and artificial intelligence still require human intervention to determine focus and interpret results.
Agencies can use the results from initial assessments and risk tolerances to inform what they analyse and how frequently they do so.
We have found that collaboration gets the best results; business leads/managers can help inform approach and share results back. The increased engagement will give agencies a better chance of getting organisational buy-in and improvements made.
We have been providing tools and advice on how to self-assess and identify fraud risks for a while.
Some recent publications include our Fraud risk assessment planning tool and our Fraud and corruption self-assessment tools, which are both available on our website. We have also written about fraud risks in our reports to parliament, including Report 6: 2017–18 Fraud risk management and Report 19: 2014–15 Fraud Management in Local Government. Our yearly sector-based reports to parliament also highlight fraud risks we have identified during the audit year.