How to use forensic data to better manage risk

Executives are increasingly urging their companies to collect and use data to prevent, detect, and investigate misconduct, fraud, and non-compliance issues, according to an EY survey that involved more than 600 respondents at companies in 17 countries

Seventy-four per cent of the executives, many of them heads of internal audit, said they needed to do more to improve their companies’ risk management, including forensic data analysis. Only 55% (compared with 64% in 2014) of executives said they were confident they are spending enough on forensic data analytics to address key business risks such as cyber breaches, internal fraud, increasing regulatory scrutiny, and rising bribery and corruption risks in emerging markets.

The sense of urgency among respondents in EY’s 2016 Global Forensic Data Analytics Survey was particularly high amongst respondents in emerging markets. Respondents in Mexico, India, Brazil, and China were the most adamant in supporting the use of forensic data analysis to better manage fraud risks.

New advanced analytical tools and monitoring are being developed to help companies manage current and emerging fraud risks. Despite their eagerness to use them, few respondents said they are recognising the full value forensic data analytics can deliver.

Only 20% of the respondents said they realised the full benefits of forensic data analytics in moving investigations along faster and increasing business transparency. Nineteen per cent said they realised full benefits in getting the business to take more responsibility in managing anti-fraud programs, and only 9% realised full benefits in reducing the cost of anti-fraud programmes.

According to the report, to make the best use of forensic data analytics to mitigate risks, companies should:

Build teams with the right skills. Three distinct skillsets are necessary in a company to successfully deploy forensic data analytics. It takes people with the technical skills to understand the company’s systems and advise on acquiring additional technology. People familiar with the relevant risk areas in the business must be also able to interpret analytics results. And it takes people with expertise in mathematical, computer science, and business intelligence techniques, such as pattern recognition, statistical analysis, query design, and data visualisation.

Few companies have all three skills in place. Nearly 40% lack people with the technical skills, and about one-third do not have enough people with the expertise to analyse the data.

Deploy the right technology. Building data sets that talk to one another is the first step to successful analytics. Another is to use sophisticated analytics tools. Thirty per cent of companies agreed that analysing social media produced positive results, and 29% considered data visualisation tools useful.

To meet budget, less costly self-service applications, which require less customisation to implement, are available via the cloud. Significant improvements in computer power and scalability as well as decreasing storage costs also make the use of forensic data analytics more cost-effective.

Analyse large data volumes. More powerful analytics tools allow companies to analyse larger amounts and a wider variety of data. Tools that help reduce insider threat, cyber-risks and fraud risks, for example, trigger an alert when an employee submits an expense amount that exceeds a predefined reimbursement policy, scan unstructured data to identify suspicious language used, or enable an investigative team to quickly gain an understanding what information may have been compromised.

Companies that analysed the largest amount of data (more than 10 million records) were the most likely to report positive results (79%). Also, companies reported positive results from a wide variety of unstructured data they analysed, including electronic communication, social media, customer calls, external data sources, and network system information.

—Sabine Vollmer (svollmer@aicpa.org) is a CGMA Magazine senior editor.