The Institute of Internal Auditors presents all things internal audit tech. In this episode, Ernest Andon and Tom Keaton discuss the evolving role of fraud analytics. In internal auditing, they'll cover how data analytics and AI can improve fraud detection and prevention, along with the challenges and practical strategies for success.
Hey, everybody, I maybe just a little bit of an intro, Tom, uh, appreciate everybody listening in to today's episode where Tom and I are gonna talk about fraud analytics. Uh, but maybe it's, I think it's a good idea for us to just get acquainted with the audience. So I'll start off and then hand it over to you, Tom. Um, I'm Ernest and Ion. I, I lead our product marketing function here at Mindin Bridge Analytics. Uh, I've been in the software game for going on about 10 years now.
However, prior to that, I was a Chief Audit executive. Uh, so I spent a better portion of my career about 15 years doing everything. Maybe I'm dating myself, Tom, by saying I started my career off as an intern when Sarbanes Ox League came into the fold in 2002. Um, But yeah, have, have kind of seen everything, uh, from, you know, sox, uh, enterprise risk management, starting internal audit groups from the ground up.
Um, got into risk advisory services and public accounting at some point, and then, uh, got into tech. So that's a little bit about me, but I'm, I'm, I'm very happy to join you today on this episode. Tom, you wanna give them a little bit of background on yourself? Yeah, absolutely. And excited as well, and looking forward to, to talking a little bit more. Uh, but yeah, just a little bit about me. I am a director of internal audit at Crown Castle.
I've been in internal audit in some way, shape, or form my entire career, going back to the early two thousands. So I'll date myself just as much as, as, as you did on the, on the Early Sox years. Earnest and my roles across my, my various experiences and stops along the way have, have all included technology in some way, shape, or form and risk and advisory.
Uh, currently I do a lot of work in the space of automation, analytics, uh, starting to thread some of the new technologies and, uh, spend a good bit of my day fraud, investigations, risk and whatnot. So, uh, really excited to dive in and, and, and, and see how we, uh, overlap in those spaces. Yeah, I, I bet you have some phenomenal stories to tell, but before we get to those, maybe let, let's just start with the basics.
When you're, when you're thinking about fraud, and you mentioned, uh, some cutting edge technology like data analytics and automation ai, how have some of those technologies kind of changed, uh, the game for internal auditors over the, over the course of time that you've seen it? Yeah, that's a great question. And, and, and I would say it's a, it's, it's in, in two ways, is the way I would answer it.
One is not nearly enough, uh, because you, you hear all the technology and from probably a solid, gosh, I'd say maybe a decade or more, you would hear about using data analytics to do internal audits and different things. But when you really talk to people, did anyone actually do it?
Like there was very few that would, would do anything other than maybe pulling populations, selecting samples, but truly doing internal audit work through data analytics was kind of a unicorn, wasn't, wasn't very often, and it sometimes it felt like a myth. So there was a little bit of head banging on the, on the desk a little bit where you're trying to figure out, you know, how to use these technologies and these theories.
But then I'd say within the last couple years, we're starting to see some breakthroughs. And, and, and I think that a lot of that goes to data quality and the way that organizations are actually, um, going through that digital, digital transformations and creating a more digital organization. And then you have, uh, just, again, dating ourselves one more time, more, more digitally forward.
Uh, people entering the workforce, they're used to having data at their fingertips and wanting certain types of data and, and, and then the tools are just starting to be, be phenomenal. Um, you no longer have to be the expert, uh, code writer to be able to, to, to build some things. A lot of are, are drag and drop or you can, you know, do write, write in using gen ai, you're able to write it what you want to do, and it can give you some code that you can use.
So, so really starting to see some, some fascinating breakthroughs there. And, and I think we're just at the beginning, it's really going to start taking off in a way that is gonna seem like futuristic to, to us today is probably gonna be just a few weeks to have a year or two away from now. Yeah, I a hundred percent agree. And I remember a time where on an Excel spreadsheet you were limited to 65,000 rows.
That's Right. And so when big data and data analytics kind of came about, and, you know, that was such a buzzword, I wanna say 15 years ago, um, as A-C-A-E-I had a mandate where I said, every audit we do, whether it was an assurance audit, a compliance audit, an IT audit, you have to have an element of data analytics. But we didn't know where to start. So we actually were building access, Microsoft access databases to test entire populations of transactions.
And even then, the populations probably weren't more than, you know, a couple hundred thousand. Uh, so how do you really get coverage? So there's a quote out there that says that the data explosion is at this exponential rate. It's not just doubling over the course of 18 months or so. It's almost like tripling and, and, and it's just gonna keep getting bigger.
So from your perspective, how does, let, let, let's put it through the lens of fraud, and how does fraud and analytics kind of fit into the bigger picture of how you see organizations managing their overall risk? Yeah, I, I, I love this topic. I mean, we, we, with, with what I deal with day to day on our, our risk management side as well as, you know, fraud, not just investigation, but also detection, prevention and so forth, data is, is woven all through, all throughout.
That for me, it's also, it's, it's, it's a tough, uh, uh, a tough kind of riddle to crack. Um, from a investigation perspective, if you get an allegation, you can, you, you, you have a concrete claim to go off of or some, some tip that you can look into. It gives you a head start. And once you have a head start, you know, you can take a look at some vendor analytics.
You can see who's popping out as maybe a, somebody guiding most of their work to a certain vendor that happens to be maybe given a kickback on the side. Or do we have a certain vendor that's coming back and doing change orders and rework to, to slowly increase the, the cost in which you're paying. Um, so, so to me, what I, I I call those investigative analytics.
Those are ones that I have some dashboards built or some queries that we run that we can do standard that's gonna give you a, a profile, so to speak, of that, that specific claim. Where, where I've had some difficulty over the years and, and others that I've talked to is the, the predictive or the identifying analytics that you can go and you can run certain queries and using data warehouses and different, different, um, uh, data sources to be able to say, Hey, this is starting to look funny.
It's starting to, to play kind of outside the lines a little bit. Maybe we should go and look into, uh, this project manager or this vendor, or this construction project. Uh, that's been tough, uh, that that's a little bit harder because, uh, data's coming from all over the place. It's a little bit of a, a, a different way of thinking from an audit perspective to to be predictive. So, so we're starting to try to find a way to dabble into that space.
But using analytics once we kind of have a place to look, has been a huge boost to our productivity, uh, our success rate, to being able to either substantiate or even refute the claim. Um, you don't always want it to be right. You hope it's not always, the claim isn't always right, but, um, it's given us more, more confidence in our conclusions by being able to, to, to be data-driven, to get those investigations off the ground.
So when a claim does come in, maybe through a whistleblower ethics hotline, do you operate under the guise of innocent until proven guilty? Or the opposite? That's a great question because, you know, I, I, I, I, I never thought about it until I took a, a more formal training, probably 10 years ago. And, um, I take it as almost innocent until proven guilty.
And, and so, um, for me, I think that's, that's also a, a, a mentally cleansing approach because when, when you're in internal water, all you see typically is bad, right? It's, it's, let's go in and, and, and, and find the problem here, find the problem there. How do we fix this? Right? Um, investigation's the same thing. So you layer bad on, bad on bad, and you're always, you know, you, you, you wanna feel some good somewhere, right?
So, so for me, I, I like to be able to go in with that mindset of, okay, we've got this claim here, let, let, let's, I'm hoping it's not, not legitimate. Um, and, and, and take it from that standpoint, now that, that success rate on, that's not terribly high. Usually claims are pretty right. Um, they're pretty credible for the most part. So there's usually something there. But yeah, like that, that's the, that's the method I like to follow.
How about yourself? What, what, what kind of mindset do you have in those situations? Oh, I'm, I'm gonna take the consulting route and say, it depends. It depends on, it depends on what the claim is, how far fetched it it could be. Mm-hmm. Um, you know, I've seen some crazy things, uh, in, in my time at audit, um, and we'll save some of the stories for later, but I agree with you, Tom. I think innocent until proven guilty, right?
It just that, that you, you gotta have some sort of compassion around it, right? It's not, I don't think internal auditors or, and, and that's the reputation that kind of precedes us. We're, we're, we're, we're the bad, we're looking for the bad cops, we're cops, but we're like internal affairs and we're looking, no, that's not the case. We're, we're charged with, uh, helping the organization, uh, with change management and protecting shareholder value.
And, and that's what we wanna do through our risk analysis, our risk assessments. Um, that's why I always loved doing more advisory type work, right? Like, I knew my team was being successful. Absolutely. I knew My team was being successful. When a C-Suite executive came to me and said, Ernest, I would love for you to take a look at this process. Something just doesn't seem, to your point earlier, something seems off, something doesn't seem right.
Can you come in, give us an analysis, give us an independent objective opinion or recommendations on what we could do better? Those were my favorite audits to do, for sure. Tom, I do wanna go back to what you're talking about, like some, some of the difficulty when, when you're, look, when you're trying to find trends and you're trying to find patterns.
Now when you get a claim that I feel like that's a lot easier because it's like, boom, you know what you're looking for versus if you have vast amount of data, certainly, right? Like, think about all the different systems within your organization, ERP, payroll systems, data warehouses, data lakes, um, et cetera, gls, what other kind of red flags would you recommend people look out for?
And maybe it's not a red flag immediately, but you know, where there's smoke, there's fire, but like, what, what are some of those warning signs people should be looking for? Yeah. That, that, that's, that's, again, that's like looking through the crystal ball to find those answers, right? That's, that's such a challenge. And the other piece to that whole puzzle was, even if you know what those, those may be, I, I don't know how many internal compliance staffing to give you those answers.
So, so I'm, I'll start off with a super big cop out of, it's really hard. Yeah. Yeah. And every business is different, but, but, but it's all on how you look at it. And something that we've been really trying to develop over the years, um, even if it's just from a concept to make us think a little bit differently is, is, um, I'll use a vendor, let's say there's, uh, some potential corruption with a vendor that we're trying to find, right?
We don't have a tip, but we're trying to find, is there something there I mentioned over usage by a single person, but, um, we, we wanna think more broadly and, and almost come up with kind of like a, a like a hit list, a hit matrix or something like that where maybe we have a suite of 10 different analytics that looks like percentage of spend, change orders, how many pos have gone in, take, take your pick.
You know, all all of these different litany of things that on the surface, an individual singular, uh, analytic that you might run, may not give you a, um, a, a that red flag that you're looking for.
But if you take the look at that, those, those top 10 or whatever that number is, and then you can kind of add some weights and measures to them, and then you look at them and holistically, and you can score them amongst their other vendors in doing the same type of work in the same areas that you might be able to eventually start pulling out some things that, that, that, that can give you some places to look.
Now I'm also fortunate within my group, my, I, I oversee the fraud piece, but it's also within internal audit. I know sometimes those are split out. Um, so, so for the instance, if we, if we're going through something like that and we see that we have a couple of hits on something, or some, again, this is more conceptual than in practice at this point for us, but as those scores maybe pick up, that might allow us to say, Hey, we, we should go do a construction audit of this project in this city.
Something might be off here, let's go take a look. Or maybe we send a survey out to, to see if there's a way to, to get some people to prompt, or maybe it's a fraud training. We go out to that, that part and try to just poke our nose in there to see, see if we can find a, a, a, a little bit more within, with, within that group or area or vendor. But it's really challenging.
Um, you know, my organization isn't terribly transactional, so, you know, we don't manufacture things, we don't sell, um, items. We're not really, you know, consumer driven in that way. So, so it gets to be more challenging there to be able to find some of those things. We're not dealing with inventory or shrinkage or things along those lines.
But it definitely gives you the mental challenge and the, to, to kind of give you the, the creativity to go in and, and, and find different ways to slice the data to, to kind of turn it on its side and find some interesting, um, details there. So, Tom, would it be fair to say that what you're mentioning some of these dashboards, is that akin to continuous monitoring, or are those dashboards really just early warning signals? Like how do you think about that?
And then where do you think continuous monitoring plays a role within fraud and analytics? That's a great jump. Um, think the, this is gonna sound silly, like the advent of dashboards. Like, that's like a, that's such a pervasive concept now in the last interactive dashboards, I should say, right? I, I is such a pervasive concept that's really taken hold in probably the last five or six years with, with, uh, some of the different softwares coming out.
Like Tableau being one now, power BI has kind of all over the place as well. And, um, you know, I look at those as more informational and monitoring, you know, continuous monitoring in a way. Sure. But to me, a continuous monitoring process is something that's going to be running in the background.
And if, you know, transaction hits a, b, and C attributes, I'm getting an email or a text message or an alert that's like, Hey, we gotta go look at this, and it gets you outta your chair pretty quick, and you go and take a look and you, or you spin up an audit or something along those lines. Whereas when it comes to the dashboarding pieces, I think that's more, how's my business running? Am I under, am I in control now?
It could show you some stuff, but, but to me, and, and maybe I just haven't been able to crack that code when it comes to, to looking at some of those dashboards, but I use those specifically for, um, operating within an investigation. Uh, so once I'm in an investigation, I have the details on what we're looking at.
Those are extremely valuable because now you can click and filter and sort to be able to show different highlights, and then you can see some of the outliers, outliers based on the criteria that you are inputting. Whereas the continuous monitoring, I feel like they're actually out there looking, those bots are looking for the outliers and alerting us to those to go and take a look at.
Yeah, and one of the best analogies I use in explaining continuous monitoring to folks is think about your credit card. Let's say you're traveling to Erie, Pennsylvania, and you've never been there before, and you go to the local hardware store and you've run up a a $500 charge, what's what's gonna happen immediately?
Your cards decline because, you know, those financial services, all credit card companies, they, and the point of sale systems and everybody have so much sophistication or in terms of patterns and behaviors and where you've been shopping and the minute your transactions decline, that's what continuous monitoring is. So, um, Tom, I I wanna dig in a little bit in, in terms of the analytics that you use within your investigations.
Can you talk about, you know, do I need to learn programming language to set up some of those types of queries? Like what kind of skill sets do you have and what do those analytics look like? Yeah, uh, uh, another great question. And, and, and for me, like I said, I I, I got lucky in my career and that, that allowed me to kind of get into some of that stuff early on.
And even if it was just using some basic Excel functionality that at least embeds the thought process into your head, um, on, on how some querying and different things might work. But, but I will say we had to hire on some special help for that one. So, so we, we, we made the decision, um, probably four or five years ago that analytics was the future for audit in every sense of the word, be it investigative support, risk assessment, audit, so on and so forth.
And, you know, we tried to tend to do a, a one step, one foot in approach. And so we had, I think at the time we had maybe a 10 person shop. And so we're like, Hey, we'll take one person out and put that person into an analytics role. Um, we were able to kind of do a proof of concept to show that it worked, and we got some, some support there, but we also realized like we're all we were trying to do is obvious kill an auditor. It had some experience in there.
So, so we were, we got proof of concept and eventually when we hired somebody who had the right skillset, not an auditor by trade, uh, but, but had some background of, you know, business finance and understanding some of the, uh, inner workings of a normal organization. But it wasn't until we had somebody who had that sophistication, earnest, who was able to, to truly bring that professionalism to, to us.
Um, so while there's ways I think that you can limp through and you can, you can do some things that are going through Excel or a Power BI that's not terribly, uh, sophisticated that's that, that, that, that your average user could build. Um, to me, I think it's really important to have, have that dedicated skillset to allow you to build that.
And we even went through this, that, that phase of outsourcing that, uh, you know, we, we, we got some good, good, um, relationships with some firms that had that, and we kind of went and hunted and peck three to find the right ones in the right ways with the right tools and technology and how we could transfer all of those, I'm sure you deal with, with some of that in your world these days too. And, and, and, and we were, again, really successful all the time, but all time.
And that's something I tell tell people a lot that's that, that are new to trying to build out this, this program with them. I said, don't be afraid to call for help. Uh, you know, you gotta start there, and that way you learn and you can see where it goes, and you can build a foundation that way. Absolutely. I mean, you talk about that skillset, and I joked earlier, but I was actually being, uh, real that, you know, building an access database to do my testing at, at the time.
You know, I took a basic SQL database course in undergrad and thought, oh, I could write my own queries for it, but it, it got to a certain point where I'm like, okay, I don't know how to do this, join properly. And so I would go off into our IT department and talk to A DBA and say, Hey, here's what I'm trying to do, and, and can you help build it? I'm starting to see a lot more as I talk to other folks in the profession.
You, me, you mentioned earlier, you know, hiring people with different skillset. I can teach somebody how to audit. It's not rocket science. I mean, sometimes it can be, yes. But, You know, some of the, some of the joys I had in my career were, were doing rotational programs and getting people from the business to come join my team for a six month rotation, because again, I can teach an engineer how to be an auditor, but I can't teach an auditor how to be an engineer.
And, you know, getting them kind of that well-rounded experience, um, those were some of the best. Let's shift gears a little bit and talk artificial intelligence, ai. Are you using it as part of your fraud investigations or your analytics? Um, I don't know what your company's stance is if you're, if they're for it, if they're against it, but yeah, I mean, talk to us a little bit about, uh, your usage of ai, if there is any. Yeah, It's low.
It's low. Yeah. I mean to, to me it's still a little experimental. We don't have any, anything, you know, like a private GPT type ring or anything in there yet. So throwing data in is a big Yeah. Strict no, no, for us, as I think it is for many, many organizations right now. But I'm really, really excited about it.
I'll be curious to hear, hear, hear some of your thoughts and from, from where you're seeing AI implementation here, because like in my head, thinking, you know, down the road future thought is once we are able to start leveraging some of these, um, and I was doing an investigation early this morning and I'm going through emails over and over and looking for, it's like, all I'm thinking is if I could just throw some sort of AI bot on this thing and have almost a gen AI type conversation
and be like, ah, this is the investigation. This is what I'm looking at, this is the timeframe, and, and let this thing just go wild on a O 365 PST file, what saved me so much time? That is to me, the longest amount of time. And it's, I mean, when I first started doing investigations, you would look at emails, you'd be like, oh, this is cool. You're getting this peak under the covers of all this stuff. Now. I've been doing it for so long. You're like, I hate this. It takes forever.
It's not, I just wanna push a button and let it be done. Yes. Uh, so, so yeah, so we we're, we're, we're in infancy on trying to use it. We do use some of this stuff a little bit more on the audit side, but, but I'd be curious to see what you're seeing with within your experience and your client base that, that, how that's gonna kind of start to take off the ground here.
Yeah. Uh, so I'll preface the conversation with, you know, there are multiple flavors of, of artificial intelligence, and I think in fact, no, I know generative ai. So things like chat, GPT or llama et cetera, copilot for Microsoft, generative AI in my mind is more of a productivity suite. It can do things that humans can do, but at a rate so much faster. Like, Hey, write me an email to the CEO of this company and I want to pitch my product to them, and then you can iterate on it, right?
And so I see a ton of value from a productivity standpoint. Oh, let me give you a perfect example, Tom. I was helping one of our salespeople, uh, with some account planning, and I told them, I was like, Hey, go download. They're publicly traded. Go download their annual report, attach it into chat GT and have it for it. And it did it in a matter of seconds, right?
So to your point of, of your example of having to comb through emails and documenta, I, I don't know whether, I mean, the future is so bright with what, what AI is. However, I understand the risks that it introduces and why certain organizations may have a very hard stance, um, you know, either for it or against it, or at your own leisure, at your own risk.
Just don't use our, our, our, our, uh, data in there, but even just from a non-audit standpoint, um, of AI and the amount of content that it can create. So I remember when AI was kind of getting big last year, um, and, and it created a song that I think was using Kanye West's voice and lyrics, but had a, another producer's beat, and it went viral, and people thought it was a real song, and the record companies were scrambling, like, how do we get this down?
You know, I, I mean, you know, and then you hear about DeepFakes, right? DeepFakes is a big thing right now too. And what is that gonna do for like social engineering? Every technological advance has, its good and it's bad. So generative ai, I think the last thing I'll say about it is the rate of adoption of chat GPT, and, and I don't know the statistic off the top of my head, but it, it's, it's unlike anything we've ever seen before.
So if you just go and Google like, Hey, how many users adopted chat, GPT? Like, yeah, it, it's, It's wild. It's crazy. So, um, Tom, I know you and I could sit here and talk forever, uh, but unfortunately we're running out of time and I gotta ask you one last question. Can you share a story, maybe not the craziest story or investigation that you did, but something that maybe made you say, whoa, what were they thinking? Or, oh my goodness, I couldn't believe it.
You, you know, is there, is there anything that you could share, uh, to kind of round out our conversation? Yeah, yeah. I, I'd be there. There's, there's always a bunch of stuff that comes to mind. We could probably talk for a couple hours on a few of these things and, and how, how in depth some of them go. But what always ends up getting me are the ones that, that, that are the head scratchers, like you said, it's like, how did you get yourself there?
Right? Like, you know, no, and, and there's other ones that are just like the bizarre claims that come in. I mean, there's one I I, I can, I'm gonna give you two. I'm not, this one will be quick, is the, uh, the most bizarre claim I ever got. And it wasn't even bizarre. It's just, it was like strange, I guess is what we got a call that came into the hotline. And it literally, all that said was, I was told that I was too old. And then the next thing was like, you know, where does it happen?
It goes the whole demographics. And it said fourth floor. Well, we have offices all over the country. We've got several fourth floors. There's a lot of people. So you get these calls in and you're like, okay, not much I can do with that, but I see where maybe you were headed. Um, but what that usually brings me to is a whole lot of frustration when you get, you know, that that was a, a, a call on a case.
Obviously we couldn't do much with, they never responded back, and we asked some questions, but that is something that brings a ton of frustration for me, is when the call comes in. And it was way more fulsome than I was told I was too old, something like that. But, uh, that has a lot of truth to it, but it doesn't give you enough detail. And you, and you struggle to get an investigation going, and you're sending messages back to the trying to go through.
And we use an anonymous hotline, and so you can't just call them back, but you can send 'em through a portal as long as they log back in, you can, you can talk, but, um, a lot of times they don't respond. And, and so you're stuck with things. So that, that breeds some frustration.
But, um, you know, one, one in particular, I, I, I can throw out this pretty innocuous, but it was frustrating and kind of interesting was, um, you know, we had, and we see these things all the time, every company does is expense fraud, right? It's teeny. And that's the one, by the way, we could probably talk for an hour on analytics. That's the simplest thing to, to do some analytics over. But we had somebody who was submitting multiple expenses over and over.
They were very disorganized, and you went through the, the, the investigation with them. And, um, quite frankly, we, we say, okay, look, this seems like very, a lot of mistakes, a lot of, wasn't intentional fraud, a whole lot of waste, but non-intentional fraud. Yeah. So he kind of was let off the hook a little bit, just pay the money back, no harm, no foul. Uh, about a week later, I see the, uh, his manager, I said, how so and so, and response back was like, well, we fired him yesterday.
I was like, what do you mean? I thought you were keeping them. Like, no, he, same thing again, $9 for something else. So it's not the, that's not the funniest, it's not the the most outrageous, but to me, that's one of those things that's always stuck out in my head that some people just don't learn, or they, they are, aren't deterred by a potential repercussion or even put through the ringer of having to be interviewed by internal auditor, legal or compliance or whomever.
It's, they still, they still find a way to either A, screw up or b, think they're, okay, I'm off the hook so I can do this stuff again. And you know, you, you, you find it. Just keep circling on back. And, you know, once you've done this type of a job long enough, uh, you, you, you kind of run outta head scratches a little bit though. I mean, the patterns definitely start to show themselves. And I think TE is an easy one, right?
Like, um, oh, you, you know, no receipts required for anything $25 and below. Well, then I start to see patterns 24 99, 24, 98, 24 97. Uh, come on. Who are you kidding? Right? I mean, we gotta look for that stuff. Um, well, good, good chat, Tom. It, it was so great having you on today's episode, and, uh, hopefully we can do this again. Absolutely. Enjoyed it very much. It was great talking to you. Um, but, but welcome the opportunity to jump back on anytime.
If you'd like to hear more from Ernest, you can catch his session at the 2025 Fraud Virtual Conference on February 20th. Learn the latest in fraud prevention and detection from experts all online. register@theia.org or check the show notes you don't wanna miss out. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or@theia.org. That's THE iia.org.