Using data analytics to find fraud under those shells
Google the phrase “shell company fraud scheme” and you’ll discover more news stories than you have time to read. In Southeast Asia, an employee stole $11 million using a false-billing shell-company scheme. In the U.S., a company lost $65 million through a similar scheme. Fraudsters are using shell companies to steal millions of dollars from organizations every year.
Shell companies are business entities that typically have no physical presence (other than a mailing address), no employees and generate little, if any, independent value. They’re not necessarily illegal, but employees can use them to commit fraud.
They might be nothing more than a fabricated name and address that an employee uses to collect disbursements from false billings. However, because the perpetrator receives payments made out in the shell-company name, the perp normally will also set up a bank account in their new company’s name so they can deposit and cash the fraudulent checks. (See the online ACFE Fraud Examiners Manual, Section 1: Financial Transactions and Fraud Schemes/Asset Misappropriation: Fraudulent Disbursements/Billing Schemes.)
In the last few years, organizations have become increasingly concerned about this growing threat. Perpetrators have used shell companies to commit a variety of fraud schemes — everything from asset misappropriation and money laundering to bribery and corruption schemes. Now audit committees are asking the tough question: Could this happen in our company?
In this article, I’ll walk you through the process of using fraud data analytics to discover shell companies. The process begins with: 1) writing a fraud-risk statement, 2) determining the fraud data analytics methodology and 3) searching master file and transactional data. I’ll also share with you some real-life stories of how we’ve detected these schemes.
Fraud data analytics methodology
When it comes to using fraud data analytics, your team needs to follow a few basic rules:
Understand what you’re searching for by creating a fraud-risk statement.
Develop a fraud data analytics plan based on your fraud-risk statement.
Understand how every business transaction links to the master-file data and transactional file data. (A master file is the data identity of a vendor. A transactional file is the data identity of the purchase orders, vendor invoices and payments.)
Use data analytics to search for data patterns and frequencies that correlate to the fraud-risk statement.
Fraud data analytics is the process of using data mining to analyze data for red flags correlating to a specific fraud-risk statement. In auditing for fraud, the project doesn’t start with an allegation but rather a fraud-risk statement. It’s up to the fraud examiner or auditor to identify suspicious vendors that might be part of a shell-company scheme. Through data-pattern analysis and fraud-testing procedures, the fraud examiner or auditor can then identify vendors for investigation.
The starting point of a fraud data analytics project is a fraud-risk statement, which provides the program specifications for designing and interpreting data. After you develop the statement, you can formulate a strategy for effectively identifying shell companies.
A fraud-risk statement includes three critical elements: 1) the occupation of the person committing the scheme, 2) the type of shell company and 3) the fraud action.
When you’re creating the statement, consider how the perpetrator might have adapted the shell company to the organization’s or vendor’s industry. For example, in a construction audit, a pass-through scheme might involve a subcontractor that’s legally owned by the general contractor but has been created with the intent to inflate contract costs.
(In a pass-through scheme a fraudster sells actual goods or services to victim companies. Employees in charge of purchasing on the victim company’s behalf usually commit these pass-through schemes. Instead of buying merchandise directly from a vendor, a crooked employee sets up a shell company and purchases the merchandise through that fictitious entity. They then resell the merchandise to their employer from the shell company at an inflated price. See the online ACFE Fraud Examiners Manual, Section 1: Financial Transactions and Fraud Schemes/Asset Misappropriation: Fraudulent Disbursements/Billing Schemes.)
Also, consider the intended use of the shell company. For example, in a Foreign Corrupt Practices Act scheme, management might be using the shell company to conceal bribes. In the case of disguised government-preferred vendors (a vendor registered with a government as, for example, a minority vendor), a contractor might create a shell company to provide the illusion of meeting contract requirements.
Two fraud-risk statements
I’ll focus on fraud-risk statements for pass-through and false-billing schemes that commonly occur throughout the world and potentially in every organization.
Here’s a fraud-risk statement for a pass-through scheme (of which there are at least 15 permutations):
A budget owner (someone in an organization who’s accountable for spending decisions in their area of responsibility), acting alone or in collusion with a direct-report employee, arranges a shell company to be set up on the master file and places orders for goods or services through the shell company. The shell company then places an order with a real supplier, and the real supplier ships directly to the budget owner’s company. The real supplier invoices the shell company, and the shell company invoices the budget owner’s company at an inflated price, which diverts company funds.
Here’s a fraud-risk statement for a false-billing scheme:
A budget owner, acting alone or in collusion with a direct-report employee, causes a shell company to be set up on the vendor master file. The budget owner then arranges the issuance of a purchase order or contract and approves a fake invoice for goods or services, which diverts company funds.
Analyzing master-file data and transactional-file data
Once you’ve followed rules 1 through 3, you can begin rule 4 — searching for shell companies by analyzing either the master-file data or the transactional data. (I’ve found transactional data to be more telling. However, the starting point is more a matter of style versus form.)
Before you begin, ensure you’ve calibrated your analytics to match the perpetrator’s “sophistication of concealment” or their ability to hide illicit transactions. Fraud examiners reveal fraud when their methods of detection are more sophisticated than fraudsters’ methods of concealment.
For example, consider these levels of sophistication for created vendor addresses for shell companies:
Low sophistication: a direct match between a perpetrator’s known address and the shell-company address.
Medium sophistication: A limited match between a perpetrator’s known address and the shell-company address (i.e., a perpetrator’s address is located in same city, state or country as the shell company).
High sophistication: No match exists between the perpetrator’s known address and the shell-company address.
Adapting to fraudsters’ expertise
To identify instances of fraud, fraud examiners must adapt their analytics to match the perpetrators’ levels of expertise.
Here are some guidelines for searching master-file and transactional-file data.
Employ a unique fraud data analytics approach for each of the five primary categories of shell companies.
In a created shell-company scheme, an internal person causes a shell company to be added to the accounts payable file to commit a false-billing or pass-through scheme. To detect a created shell company, you must:
Search for missing vendor information because the perpetrator is attempting to control who can contact the shell company.
Match address or bank accounts to the human resources database.
Identify anomalies in the data (i.e., a vendor with no associated address or bank account).
In an assumed shell-company scheme, an internal person takes over the identity of a dormant vendor already on the master file or a real marketplace vendor not on the master file. To identify this type of scheme:
Search for changes (temporary or permanent) to addresses or bank accounts.
When searching for a real vendor in the marketplace, follow the steps for identifying created shell companies.
In a hidden shell-company scheme, a real company operates under multiple names. The first company is the real company, and the additional companies are shells. This scheme is intended to circumvent control levels or provide the illusion of competitive purchasing.
To identify a hidden shell company, search for duplicate data between two or more vendors (i.e., telephone numbers, email addresses and government identification numbers). In a simple scheme, you might find duplicate addresses or bank account numbers.
A conflict-of-interest shell company utilizes a legally created company that provides goods or services, but the vendor has only one client: you. An internal employee or someone related to the employee might own this company. To detect this scheme, use similar data analytics as you would in identifying a created shell company.
Temporary shell companies are those the perpetrator uses for a limited number of transactions. The shell company could be a created or assumed identity, and the company might exist in name only. Organizations that have one-time payment procedures are often vulnerable to this scheme. To detect a temporary shell company, look for a limited number of transactions to one vendor that correlate to one cost center.
Keep it simple when you’re searching for shell companies. Focus on the key transactional data: tables for purchase orders, invoices and payments.
Here are five key elements of transactional data to analyze:
The control number/invoice number.
A sequential pattern or a low-starting invoice number is a good indicator of a created shell company or conflict-of-interest scheme. A more sophisticated fraudster will use a limited range pattern rather than a sequential pattern.
The date field.
Look for an illogical order of transactions — invoice dates occurring before purchase order dates — or unusual speed of processing. Compare the payment date to the invoice date. Both anomalies indicate that someone is seeking to circumvent internal controls.
The invoice amount.
If an invoice amount falls below a control threshold, a perpetrator might be trying to avoid the need for dual approval. If all invoices for a vendor are below a key control level, that vendor could be a shell company.
Analyze the line description on the invoice for anomalies in the alpha or numeric data, including the alpha and numeric string lengths (the number of numeric integers, letters or special symbols in the data field) plus the absence of alpha or numeric data or keywords.
The general-ledger account.
This account links directly to the person committing the fraud scheme. General-ledger accounts can help you predict whether you’re looking for a pass-through or false-billing scheme. Equipment rentals are commonly associated with pass-through schemes. Professional services categories are often associated with false-billing schemes. When you analyze the transactional data, weigh the accumulated significance of all the red flags. In some cases, one glaring red flag — for example, a vendor address that directly matches an employee address — indicates fraud. However, more often you must search for a variety of small red flags that collectively indicate fraud.
Real-life fraud cases
We used the data analytics techniques above to uncover these false-billing and pass-through schemes at various organizations. (To protect confidentiality, we don’t use clients’ or vendors’ names.)
A vice president of Ambiva Corp. added R. Consulting Inc. to the vendor master file. The vice president stole $130,000 in one month through four invoices numbered in a sequential pattern: 1, 2, 3 and 4. The first two invoices bore the same date, and each invoice was below the control threshold. However, the two invoices together exceeded the control level. All transactions were recorded to the same cost center. Invoice descriptions all were “consulting services.” We identified this as a created shell-company scheme.
In another case, Manunte Inc. used a vendor, SLP Consulting Inc. The invoice-number pattern was sequential, but we didn’t see patterns in the invoice dates or amounts. The invoices started with a five-digit invoice number to provide the illusion of an existing company. Our investigation determined that the wife of the vice president of human resources at Manunte was providing these consulting services for a total cost of $120,000. We identified SLP Consulting as a conflict-of-interest shell company.
In a third case, Telezio Inc. had 65 invoices totaling $1.9 million with a sequential pattern of invoices over an 860-day range. All invoice amounts exceeded the control threshold. The fraud audit procedures revealed that the vendor had no website. No one answered the vendor’s listed telephone number and we couldn’t locate any invoices in the accounts payable file. We referred the case to an internal Telezio investigation department.
In a fourth case, a perpetrator created three different shell companies — all with different addresses in different states. The transactional analysis revealed the scheme because all three companies used the same invoice numbers, dates, errors and invoice amounts. They also charged to the same cost center. The organization’s losses from the shell company were $19,800, and the total losses from all the perpetrator’s schemes exceeded $150,000.
Lunoid Inc. outsourced computer programming services for more than $5 million per year. We investigated a potential shell company that provided programmers who worked remotely. First, we identified the general-ledger categories that would lend themselves to a pass-through scheme. Next, we compared invoice-number patterns among all vendors in the same general-ledger category to determine the normal pattern of vendor invoices. The invoice-number analysis didn’t reveal any strong clues. However, anomalies in the line-item description fortunately revealed the perpetrator. Though line-item descriptions usually aren’t useful in identifying shell-company schemes for services, we followed the old adage, “If you don’t look, you can’t see.”
In a second case, we identified a hidden-entity shell company within Kalium Inc. that supposedly provided crushed stone for road construction. We first performed a search on transactional data by commodity code. (Commodity codes classify goods for import and export.) The analysis revealed three different companies that provided crushed stone. The transactional analysis indicated that all purchase orders were issued below bidding levels, and the master-file data revealed duplicate information for all three vendors. However, the key red flag was our understanding that the country’s economy wasn’t large enough to have multiple vendors in the crushed-stone industry.
In a third case, no single red flag was glaring enough to reveal the fraud scheme. We were only able to uncover the fraud by using multiple analyses. The contract officer at Infraloo Corp. had discontinued purchasing from a historical supplier and had begun purchasing from a new vendor, North Atlantic Supplies, by explaining that it was a registered minority vendor. However, our fraud data analytics revealed a series of red flags about North Atlantic Supplies. A change analysis that compared prior-year to current-year purchases showed that the previous vendor was a publicly traded company, but North Atlantic Supplies was a privately held company. We noticed that the purchase orders for North Atlantic Supplies had been issued after the invoice date. The invoice-number pattern was a limited-range pattern, which provided the illusion that the vendor had other customers. A limited-range pattern occurs when the perpetrator issues invoices in a random ascending pattern, but the number range between the first invoice and the last invoice isn’t consistent with a real vendor.
Infraloo Corp. initially paid invoices consistent with its company policy, but over a year the speed of payment increased — from 30 days to 15 days. The invoice description fields failed both our alpha and numeric tests. Finally, the master-file data analysis indicated that the vendor was preferred and revealed the lack of data commonly found in the company’s master file. Our investigation eventually identified losses totaling $500,000 paid to North Atlantic Supplies.
Shell-company science and art
Fraud data analytics is the key to finding shell companies. However, like baseball, for example, it’s both a science and an art. In baseball, you might perfectly understand the exact science of connecting bat to ball, but if you never swing that bat, you’ll obviously never master the sport, let alone hit the ball. In the same way, fraud examiners need to apply their data analysis knowledge and tools to find fraudulent shell-company scenarios hiding in data systems.