Finding the needle:

Using forensic analytics to understand what happened – and what might happen


Data pervades almost every business and industry, whether it be financial services, retail, telecoms and media, or legal and other professional services. The vast majority of business now generates and is conducted through data of some form, and data volumes continue to grow exponentially. This presents a challenge to businesses in preventing and detecting fraud and other wrongdoing that may put a company at risk.

Fraudsters are a crafty bunch. Their goal is to remain undetected, and many of them do a really good job at accomplishing that goal. In fact, according to The 2012 Report to the Nations on Occupational Fraud and Abuse, a biennial report published by the Association of Certified Fraud Examiners, 65 per cent of occupational fraud at public companies was detected by tips, management review or simply by accident1. What this says is that, for all the internal controls employed by companies today, when fraud is discovered, it is by humans – and by accident – rather than by technology.

That is a sad statistic, given the wealth of sophisticated analytical technologies available to businesses today. It has to change, and it can through the use of forensic analytics. This combination of human intuition and leading-edge analytics technologies can have a positive impact on the detection and investigation of fraudulent and other illegal or unethical activities if the proper analytics detection methods are employed.

Forensic analytics consists of a set of analytics techniques that investigators can use to uncover irregularities in financial data. Typical irregularities include errors, biases, duplicates and omissions. The goal of forensic analytics is more than to simply detect these irregularities, however. The real goal of forensic analytics is to find out how and why these irregularities exist, and to find out the source of the anomalies – especially when fraudulent activity is suspected.

What is more, the application of forensic analytics techniques can prevent financially draining errors or fraudulent activities from happening in the first place, making the tools used to analyse frauds, errors and other corruptions particularly valuable to decision makers. When a company has fraud-detection systems and technologies in process, managers can do far more than explaining problems in hindsight. They can parlay their understanding of how and when anomalies occur to build foresight.

Forensic analysis occurs in a demanding space. A company’s reputation, financial health and even survivability can be at stake when faced with even the smallest of frauds, especially if the case involves the media and public scrutiny. The cost of careless or inaccurate analytics itself is very high, so it is important to “get it right” the first time, turning to dependable, demonstrated technologies and processes to answer the serious questions and resolve the underlying challenges. Employing the tools of this discipline yields a return on investment that can be hard to measure, but nonetheless substantial if a company can move beyond explaining past errors and actually prevent issues from arising in the future.

Guiding principles

Forensic analysts’ work is guided by a set of four principles. These principles are key to effectively ferreting out data anomalies and establishing confidence in the results.
The four guiding principles of forensic analytics are:

  • Precision
  • Repeatability
  • Defensibility
  • Integrated data

Any analysis conducted should be performed with a keen eye for detail and accuracy. Since the issues being investigated are usually of great consequence, or the numbers themselves demonstrate an abuse of assets, the work should be done with a narrow margin of error.

The tools of the trade should be sharp and deliver the precision investigators depend on.

Secondly, the work should be repeatable. Forensic analysts are called upon to process complex scenarios in a compressed time frame. A repeatable framework not only aids in efficiency, but it can come in handy if the analysis is held up to judicial inquiry.

Indeed, the work should also be defensible. In other words, “black box” models are not preferable. To stand up to close scrutiny – especially when fraud is suspected – forensic techniques used should be transparent and employ generally accepted techniques.

In this field, people seek to “prove you wrong” and may bring a company to trial in the public press, so it is imperative that the tools used to build a case can withstand the pressures of cross-examination.

Finally, the data from the analysis should be integrated for interpretation. Analysts must fuse structured and unstructured data from a variety of sources to facilitate contextual understanding and analysis. Data is often heterogeneous, however, existing in different formats, different languages and on different systems.

This heterogeneity can make synthesising the data an arduous task for analysts if the data is old and housed on defunct operating systems or deeply embedded within disparate programmes. Therefore, the tools and techniques they use are usually chosen carefully for the case at hand.


To meet these four principles – so that the work delivers precision, repeatability, defensibility, and data integration – it is advisable to employ a standard, repeatable methodology in forensic analytics. While the methodology can be applied to most kinds of analytics exercise or management consulting projects, forensic analysts employ a particular brand of creative thinking to move through the steps with efficiency. Each step answers a question in a way that is unique to the situation being evaluated.

Data identification – What data needs to be used to analyse the situation? A large volume of information is usually explored in most forensic analytics cases, and analysts are challenged to determine quickly what information is most relevant. They consider that data may come from various sources – eg structured, unstructured or from a third party – and that only the right data will serve as the basis for case evidence. This step also involves the mapping of electronically stored information and paper documents.

Forensic collection – How does one get the data? In addition to following the standard protocol for collecting data – using established forensic preservation standards, maintaining the data’s chain of custody, and performing data integrity checks for completeness – the forensic analyst faces other considerations.

The case’s legal environment, for example, might include multiple jurisdictions with differing regulations and data privacy concerns. Whilst complying with relevant laws and regulations, data may need to be gathered discretely or covertly, under the noses of those who are otherwise unaware of the ensuing investigation. Analysts will determine the leading methods to get the information they need – certainly not a trivial matter in forensic analytics.

Data fusion – How is the data going to be joined together and structured for analysis? The data may be in dozens or even hundreds of formats that analysts must assemble to meet the individual dynamics of the case. Simply put, a lot of data needs to come together in a way that it is easily accessed and evaluated in order to answer specific questions. Based on the needs of the investigation, analysts may integrate structured and unstructured data using temporal and entity keys and derive context by superimposing data sets. They should also house the data appropriately, in a database, data mart, or data warehouse, before the queries can be run and insights derived from the analysis.

Forensic analytics application – What tools will be used to analyse the case? The scenario may call for analysts to look at simple queries or turn to other methods, such as relationship mapping, link analysis, hypothesis testing, or econometric modelling.

In any case, analysts will apply rules-based detection on required transaction data to identify anomalies suggestive of fraud, and other misdeeds. They may develop statistical models to identify previously unknown patterns and adjust anomaly detection rule sets through a feedback loop.

The element of feedback is becoming increasingly important in forensic analytics because it lends an iterative aspect to the process. The ability to make changes to the data sets or analytic models based on experience, query results, and even the emergence of new questions in the investigation, helps in the application of forensic analytics to predictive analysis – not to mention help analysts in fine-tuning their work as they progress through a case investigation.

Looking forward – forensic analyticstechniques for predictive modelling and forecasting

At some point, most enterprises face a look back with forensic analytics. The field has evolved, however, with growing volumes of data and shifting focus on prevention. Many companies now seek solutions incorporating more proactive, predictive techniques and continuous monitoring. The future of analytics calls for innovations that embed advanced analytical concepts to solve non-relational and nonlinear challenges – tools to detect fraud in real time.

As the regulatory and economic environments change, schemes and errors related to fraud, waste and abuse also tend to change and evolve. While a traditional rules-based anomaly detection system is generally good at finding fraud, it has been shown that over time, the rules may become less relevant; hence, the system becomes less effective, generating more Type I (false positive) errors.

The need for more accurate rules-based reasoning tools in the forensic analytics space has resulted in the creation of the next-generation of “hybrid” anomaly detection systems.

A hybrid anomaly detection system, combining traditional rules based reasoning with more advanced predictive analytics to create a self-learning model that will minimize both false negatives and false positives, can assist in mitigating risk of:

  • Money laundering;
  • financial statement fraud;
  • asset misappropriation, including vendor/purchaser fraud and false billing schemes, expenses abuse, skimming, payroll fraud;
  • corruption and bribery; and
  • sanctions violations.
  • Wrapping it up

The environment in which forensic analytics is applied is dynamic and evolving. The tools need to be particularly sharp, the methods repeatable and the findings defensible. The data in forensic analytics cases can be complex and incongruent, and the techniques used to integrate the data and make it accessible to analysts asking questions are usually applied within tight time frames and amidst various forms of scrutiny.

The methodology itself is able to deliver powerful insights to a wide range of cases – from explaining minor system irregularities to uncovering fraud in the most complex, global scenarios.

The tools that have been used to analyse fraud in a looking-back perspective have remarkable potential to be used in preventing frauds from occurring in the first place. Strides are being made by analysts to improve the way structured and unstructured data are fused to bring better insights – and foresights – to forensic investigations. Leaders in the field, as well as corporate leaders adopting the tools of forensic analytics, are involved in developing exciting, creative innovations that continue to impact their work.

Given the costs of failure around controls and risk management, both financially and reputationally, adopting a more forward-looking approach using forensic analytics may serve to help prevent a wide range of financial statement frauds, asset misappropriations and international corruption and bribery issues.

While some of these situations cannot be completely prevented, an investment in forensic analytic tools can help companies to consider ways to make improvements in their processes today to mitigate the risks of tomorrow.