Forensic Analytics                           April, 2012                                Analytics      ForensicBy Robin Si...
Why is the same supplier winning all the contracts?    Did I receive the same claim last month??                          ...
Analysis and/or Analytics                                                                                                 ...
Straight from the Book    Data Analysis Defined…           Data Analysis is an act of transforming           data with the...
Forensic Analytics in an Organization                                                     Forensic Analytics Methodology  ...
Forensic Analytics in an Organization                                                                            IIA Confe...
Forensic Analytics in an OrganizationPro-Active Cases                                                                     ...
Why Does one need Forensic Analytics          Investigations          Dispute and Litigation Services          Proactiv...
Forensic Analytics Methodology                                                                            IIA Conference9 ...
Forensic analytics — Methodology       1                                         2                                        ...
3                                                                                                                         ...
3     Reactive Approach: Analyse and Interpret :                                                                          ...
3     Pro-Active Approach: Model and Predict                                                                              ...
Barriers to Analytics in Investigation/ Litigation                                                      Cases             ...
Barriers to Analytics     Cost of inaccurate or careless analytics in complex litigations, disputes, and investigations is...
Data Collection and Analytical Techniques in an                                                 Investigation             ...
Corporate Investigation Life cycle             SCOPE                      LAY FOUNDATION                       DATA COLLEC...
Forensic analytics is a              medium / mechanism              (JOURNEY) and NOT              the end result        ...
Case I: Scenario             XYZ Entity                                                                                   ...
Case I: Data Acquisition              Some Key Definitions:               Digital Evidence                       - Binary...
Case I: Data Acquisition       Safe Acquisition Methods:       1. Restrict Access       2. Forensic Duplication (1:1 bitwi...
Case I: Some Analytical Results- Joining the Dots                                                                         ...
Case I: Understand, Interpret and OptimizeWindows System Logs feature details of events fired on the system Increased comp...
Case I: Understand, Interpret and Optimize- Joining the Dots     Data converted into usable information     Final Result  ...
Case I: Some Analytical Results                                           Application of Benford’s law –                  ...
Case I: Deriving Relation- Joining the Dots                                           Inventory Theft        Can you take ...
Case I: Vendor Fraud Risk Profiling                                                                               IIA Conf...
Case I: Altered payee     The bank account details in payment transactions differs from the bank account set     up in the...
Case I: Summary of Findings Handed over to the Investigator                                                              ...
Social Network Analytics                                                                             IIA Conference     © ...
Social Networking Analytics      Social network analysis [SNA] is the mapping and measuring of relationships and flows bet...
Social Networking Analytics     Key stages of the process will typically include:     • Identifying the network of people ...
Case II:Background                                                                                                      Ar...
Case II:     The data speaks for itself – leveraging analytic insights      Forensic Analytics Insights                   ...
Case II:     Predictors of fraud – getting granular changes the rules and the outcome       • Analysis revealed that desig...
Case II A comprehensive view of relationships and superimposing structured and unstructured data                          ...
Case II: Summary of Findings Handed over to the Investigator Allegations:                                                ...
Lets Discuss                                                                                           IIA Conference38   ...
Upcoming SlideShare
Loading in …5
×

Forensic analytics by robin singh 13th iia confrence

543 views

Published on

Forensic Analytics
By Robin Singh
drobinsingh@gmail.com

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
543
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
26
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Forensic analytics by robin singh 13th iia confrence

  1. 1. Forensic Analytics April, 2012 Analytics ForensicBy Robin Singh, CFE, CFAP, CICARobin.singh@protivitiglobal.ae+97150 134 0420
  2. 2. Why is the same supplier winning all the contracts? Did I receive the same claim last month?? Are my colleagues involved in money laundering? FORENSIC ANALYTICS - MAKING THE DATA TALK Why… How…When… Where????? Is this vendor a brother of one of my employees? IIA Conference2
  3. 3. Analysis and/or Analytics Analytics + Knowledge + Tools Analytics Analysis with Knowledge Data Analysis 1 Analysis Data Set 2 Data Set1 IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy3 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  4. 4. Straight from the Book Data Analysis Defined… Data Analysis is an act of transforming data with the aim of extracting useful information and facilitating conclusions. Forensic Analytics Forensic Analytics is an science of using data analysis coupled with forensic know- how to meaningful facts Using Technology and knowledge base. IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy4 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  5. 5. Forensic Analytics in an Organization Forensic Analytics Methodology Barriers to Analytics in Investigation/ Litigation Cases Data Collection and Analytical Techniques in an Investigation Social Network Analytics IIA Conference5 © 2012 Protiviti Member Firm (Middle East) Consultancy CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  6. 6. Forensic Analytics in an Organization IIA Conference6 © 2012 Protiviti Member Firm (Middle East) Consultancy CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  7. 7. Forensic Analytics in an OrganizationPro-Active Cases Apply Knowledge (e.g. Profiling) for Control Gaps Decision etc False/True Positive Reactive Cases Interpret ( e.g. Information Investigation) Knowledge Summarize Data/Reporting Information Tools Time Extraction DATA IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy7 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  8. 8. Why Does one need Forensic Analytics  Investigations  Dispute and Litigation Services  Proactive preventive measures  Deciphering and inferring network  Finding a needle in a hay stack IIA Conference8 © 2012 Protiviti Member Firm (Middle East) Consultancy CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  9. 9. Forensic Analytics Methodology IIA Conference9 © 2012 Protiviti Member Firm (Middle East) Consultancy CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  10. 10. Forensic analytics — Methodology 1 2 3 4 Data Forensic Forensic Data fusion identification collection analytics• Mapping of Electronically Stored Information and • Apply rules-based paper documents Unstructured detection on 100% of Structured transaction data to• Identification of data structured and data identify anomalies unstructured data (fraud, threats, etc.)• Identify relevant third- • Develop statistically- Transform based models to identify party data …etc…etc and Load previously unknown • Use temporal and patterns • Collect data using forensic • Optimize anomaly entity keys to integrate preservation best practices detection rule sets structured and unstructured data through a feedback loop • Superimpose data sets to derive context Cumulative Scores Pattern Detection- Social Analytics IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy 10 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  11. 11. 3 Data fusion Reactive and Proactive Approach to Forensic Analytics 4 Forensic analytics Div Sales Name Amount Employee ID Transaction User Name Transaction Date Type Quantity Customer G/L Number Account Price IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy11 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  12. 12. 3 Reactive Approach: Analyse and Interpret : Data fusion Define Rules based on knowledge and Experience 4 Name Div Sales Amount Employee Forensic Summarized by Part Number ID analytics Transaction Date User Name Transaction Type Quantity Customer G/L Number Account Price Extensions & Footings Verified Quantity Excess Inventory Rules Profile Part Number Setting and Subjectivity Creating Cases Unit Cost Profiles Warehouse Unusual Items Number Joining the Dots IIA Conference12 © 2012 Protiviti Member Firm (Middle East) Consultancy CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  13. 13. 3 Pro-Active Approach: Model and Predict Data fusion Modeling scenarios 4 Forensic Name Div Sales Amount Employee ID analytics Transaction Date User Name Transaction Type Quantity Customer Number Price Optimization Number of Claims by Claim Value £90,000 £80,000 Amount Claimed (DEPENDENT VARIABLE) £70,000 y = 48.059x + 1215.9 £60,000 2 R = 0.6414 £50,000 £40,000 Quantity £30,000 £20,000 £10,000 Part Number £0 0 200 400 600 800 1,000 1,200 1,400 Number of Claims (INDEPENDENT VARIABLE) Unit Cost Rules Setting Warehouse Number Build Models Joining the Dots IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy13 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  14. 14. Barriers to Analytics in Investigation/ Litigation Cases IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy14 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  15. 15. Barriers to Analytics Cost of inaccurate or careless analytics in complex litigations, disputes, and investigations is very high. In addition, analytics must be completed in very compressed time frames. Managing Data from Understanding various media, communication systems, proprietary systems Multiple Sources • The volume of data required; Data Location & Access • The variety of data types, formats, and sources; and the veracity and • Accuracy of the data sets. Data Understanding value to the analysis and lead to wastage of time. • How was data cleaned and prepare if effectively Data Preparation • Consistency • Data integrity as change controls Manually Maintained Data • How was data automated IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy15 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  16. 16. Data Collection and Analytical Techniques in an Investigation IIA Conference IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy16 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  17. 17. Corporate Investigation Life cycle SCOPE LAY FOUNDATION DATA COLLECTION & ANALYSIS OBSERVATIONS & RECOMMENDATIONS Structured Hard Copy Data Collection Referral to Interview Unstructure Observation Law Firm Physical Informant d PreliminaryReceipt of Initiate Data Evaluation Analysis Investigative Recommend an Scoping Investi Collection Interview ations Recovery Reports And Formula gation FindingsAllegation the Allegation Corroborate Allegation Evidence with Surreptitious Video Documentation Corrective Contacts Monitoring Action Research and Available Covert Data Activity Surveillance Spyware IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy17 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  18. 18. Forensic analytics is a medium / mechanism (JOURNEY) and NOT the end result IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy18 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  19. 19. Case I: Scenario XYZ Entity Allegations: Irregularities in the areas of: • Inventory Loss • Vendor Payments (Kickbacks) • 3 key Employees’ Expense Anonymous Email Reimbursements Conduct investigation of the allegations at its Subsidiary Companies and HO IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy19 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  20. 20. Case I: Data Acquisition Some Key Definitions:  Digital Evidence - Binary Format, relied in the court of law  Original Digital Evidence - Electronic Equipments associated during the time of seizure  Duplicate  Copy  Chain of Custody (COC) - Where? - When? - Who and Whom? In this engagement we had collected about 2 TB of data (Structured as well as unstructured ) IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy20 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  21. 21. Case I: Data Acquisition Safe Acquisition Methods: 1. Restrict Access 2. Forensic Duplication (1:1 bitwise); 3. No Changes to Hash value; 4. Use read-only equipments (Write-blocker); 5. Chan of Custody to be maintained 6. Recording and labeling 7. Ant-Static plastics storage 8. Shock proof – bubble bag while Remember: If transportation computer is off do not turn it on, If on 9. Away from wireless devices then unplug IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy21 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  22. 22. Case I: Some Analytical Results- Joining the Dots ppp ppp pppQQ pppQQ RRR RRR RRR Type ID Name Address Telephone Vendor V83586 XYZ ltd 3/54 Temple Street (9564 31111 Elwood VIC 1111 Employee E41121 ABC 3/54 ST ELWOOD 9564 1156 11 VIC 1111 Vendor V23422 Jazz Something Employee E11051 Fazz Dumpling Vendor EXEC02 Mazz Maple Road 9682-0733333 Employee VISD00 KAZZ Apple Pie 9682 07333333 IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  23. 23. Case I: Understand, Interpret and OptimizeWindows System Logs feature details of events fired on the system Increased complexity with log files getting converted to flat files IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy23 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  24. 24. Case I: Understand, Interpret and Optimize- Joining the Dots Data converted into usable information Final Result IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy24 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  25. 25. Case I: Some Analytical Results Application of Benford’s law – Expense Claim % of occurrence First two digits of Invoices Amounts IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy25 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  26. 26. Case I: Deriving Relation- Joining the Dots Inventory Theft Can you take the words for whistle blower as a gospel truth? Let’s Verify IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy26 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  27. 27. Case I: Vendor Fraud Risk Profiling IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy27 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  28. 28. Case I: Altered payee The bank account details in payment transactions differs from the bank account set up in the vendor master IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy28 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  29. 29. Case I: Summary of Findings Handed over to the Investigator  Fuzzy Duplicate Invoices; Allegations:  Fuzzy Address Match on selected vendors indicating 2 Irregularities in the companies operating undertaking under two different areas of: • Inventory Loss banners ; • Vendor  Mr. X and Mr. Y filing duplicate expense reimbursement; Payments (for  Price fluctuation for particular vendors for goods sold at unit Kickbacks) price; • 3 key Employees’  Correlation between shift manager of an inventory vs Expense inventory leakage at a shift from 5-7p.m; Reimbursements  Vendor profiling reflecting number of failed test fro XYZ and KLM; and  Altered Payee ( Who s the payment gong to?). IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy29 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  30. 30. Social Network Analytics IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy30 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  31. 31. Social Networking Analytics Social network analysis [SNA] is the mapping and measuring of relationships and flows between people, groups, organizations, computers, websites, and other connected information/knowledge entities. These measures give us insight into the various roles and groupings in a network -- who are the connectors, mavens, leaders, bridges, isolates, where are the clusters and who is in them, who is in the core of the network. IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy31 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  32. 32. Social Networking Analytics Key stages of the process will typically include: • Identifying the network of people to be analyzed (e.g. team, workgroup, department). • Gathering background information - interviewing managers and key staff to understand the specific needs and problems. • Formulating hypotheses. • Mapping the network again after a suitable period of time. IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy32 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  33. 33. Case II:Background Areas Of investigation – Allegations of lottery insiders/retailers– A listed on the XYZ stock exchange , is a winning far too frequently over 9 years lottery company. XYZ Listed Company– An anonymous Email was received – Issues with non-winning tickets being alleging certain financial irregularities . printed as winners Anonymous Email Assist client by reviewing 9 years of lottery data to determine if anomalies exist that may identify patterns of inappropriate ticket transactions by ticket retailers IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy33 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  34. 34. Case II: The data speaks for itself – leveraging analytic insights Forensic Analytics Insights Result  Six separate segments emerged, 6 1 each representing a distinctly different set characteristics. 4 2  Management can: • identify those clusters exhibiting higher 3 patterns of inappropriate activities 5 • identify more effective placement of lottery devices; etc  Graphical Representation • Defining the set of rules is a critical task of any engagement- Forensic Rules Analytics • How many people using the same terminal IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy34 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  35. 35. Case II: Predictors of fraud – getting granular changes the rules and the outcome • Analysis revealed that designing Rule to indicate fraud thresholds are more complex than one potential fraud thinks in the commencement of an engagement. • Define True Negative • Define True Positive True-positive transactions IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy35 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  36. 36. Case II A comprehensive view of relationships and superimposing structured and unstructured data Deletion stub analysis for e-mail box Number of e-mails deleted Date • We carried out an analysis on suspicious – The basis for the relationship mapping was persons’ email deletion dates to identify the signatory of a XYZ contract activities requiring additional investigation IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy36 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  37. 37. Case II: Summary of Findings Handed over to the Investigator Allegations:  Cluster formation indicates nearly 33% of them were insiders – Allegations of over the period of 9 years lottery insiders/retailers  Social network interaction analysis and emails reflect winning far too possible collusion between the retailers and the insiders frequently – Issues with non-  List of individuals who are currently in the company using winning tickets these terminals being printed as winners IIA Conference © 2012 Protiviti Member Firm (Middle East) Consultancy37 CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to any third party.
  38. 38. Lets Discuss IIA Conference38 © 2010 Protiviti Inc. ©2009 Deloitte Haskins & Sells CONFIDENTIAL: This document is for your companys internal use only and may not be copied nor distributed to another third party.

×