Internal Investigations

Tools Used to Uncover the Truth

James A. Snyder , J.D., CFE
Managing Partner
Forensics & Valuation Services
jsnyder@bkd.com

Tom Haldiman, CPA, CFE
Supervising Consultant
Forensics & Valuation Services
thaldiman@bkd.com

October 31, 2012
Geocoding
Tools: Google Earth, Batchgeo
2
Data Analytics

3
Data Analysis Process
1) Identify & gather relevant data

2) Process that data with an appropriate tool

3) Analyze output generated by that tool

4
Search for Conflicts of Interest
1) Identify & gather relevant data
-Vendor Listing, Employee Listing, Secretary of State
Websites, Land and Property Records, Invoices, Email,
Facebook
2) Process that data with an appropriate tool
-Relationship Mapping Software such as IBM i2
Analysts Notebook, Node XL or Gephi

3) Analyze the output generated by that tool

5
Identify and Gather Relevant Data
Christopher Andrews is an employee of Diamond Design
Jackal, Inc. is a vendor of Diamond Design
Jerome Johnston is an owner of Jackal, Inc.
Jerome Johnston is also an owner of Imperial Design
Imperial Design shares an address with Coldwater Constructors
Beth Woodard is an owner of Coldwater Constructors
Beth Woodard has the same phone number on file as Jerome Johnston, &
they are married
Slimline Architects sends invoice to Jackal, Inc., which is then marked up by
Jackal, Inc. & sent to Diamond Design
Eugene Graham is an owner of Slimline Architects
Steve Andrews is the father of Christopher Andrews
Steve Andrews is an owner of Imperial Building
Imperial Building is a vendor of Diamond Design
6
Process that Data with an Appropriate Tool
7
Analyze the Output Generated by that Tool
8
11

Tools: Analysts Notebook, Node XL, Gephi
12
Relationship Mapping
Degree Number of links to other entities
Find entities who may be the most active in the network based on number of
direct links to other entities

Betweenness Number of paths through each entity
Find gatekeeper entities who may control information flow between
different parts of the network

Closeness/Centrality Proximity of entity to other entities
Find entities who may have the best access to other parts of the network &
visibility of activities within the rest of the network

Eigenvector (Hubs/Authorities) Closeness to key players
Find entities that may have strong influence in the network due to their direct
links to other highly active or well connected entities
13
Social Network Analysis
Relationship Mapping
Social Network Analysis
Degree Number of links to other entities
Find entities who may be most active in the network based on
the number of direct links to other entities
14
Relationship Mapping
Social Network Analysis
Betweenness Number of paths through each entity
Find gatekeeper entities who may control information
flow between different parts of the network

15
Relationship Mapping
Social Network Analysis
Closeness/Centrality Proximity of entity to other entities
Find entities who may have the best access to other parts of
network & visibility of activities within the rest of the network

16

17
Theatre Map
18
Theory 1: Tickets Sold at a Price of Zero (Comped)
19
Theory 2: Unsold Seats were Actually Sold at Zero
Cost, Then Reclassified as Unsold
20
Theory 3: Tickets Sold Below Market
21
Applicability to Other Companies
All Companies Payment detail, payroll detail,
vendor listing, employee listing, general ledger detail
Manufacturing Cost of goods sold & inventory
detail
Health care Patient accounting detail
Banking Loan maintenance file
Every company has unique data that should be
considered

22
Sequential Checks to the Same Vendor
Tools: ACL, Access, Excel, or IDEA
23
Missing Checks
Tools: ACL, Access, Excel, or IDEA
24
Other Data Mining Procedures indicative of
a Vendor/Billing Scheme
Name similarity (phonetics, acronyms, etc.)
Acceleration (systematic spending increases)
Employee address matches customer/vendor address
Customer Tax ID matches another customer Tax ID
Customer/vendor phone number matches employee phone
Duplicate invoices or slightly altered attributes
Sudden spike in invoice volume or activity
Missing contact information (address, phone, names)
High volume of transactions ending in 0 or 5
Unusual activity compared to similar vendors or customers
Weekend or holiday transaction dates
Transactions processed at unusual hours
Address is PO Box, maildrop, prison
Dormant account suddenly active

25
Computer Forensics
Computer Forensics
Computer forensics (more accurately digital
forensics) is the science of recovering digital data in a
manner that will withstand courtroom scrutiny
Must follow proper chain of custody procedures
Must maintain data integrity
Not strictly an IT pursuit
Typically includes analysis in addition to recovery,
which includes review of deleted files, unallocated
clusters & metadata
27
Not Only Computers
28
E-discovery
Discovery of evidence in an electronic format,
also referred to as electronically stored
information (ESI), searched in the course of
litigation

Covers a variety of data, including
documents, email, audio files, photos,
metadata & more
29
Computer Forensics E-Discovery
STEP 1: Acquisition
STEP 2: Analysis/
Review
Computer Forensics Technician
Computer Forensics Technician
Lawyers & Other Investigators
Computer Forensics Technician
30
Predictive Coding
Analysis & identification of relevant electronic
data assisted by artificial intelligence

Also known as Technology-Assisted Review
31
Growth of Unstructured Data

Explosion of text data +
Rapid growth in storage
capacity +
Over 95% of data never
leaves the digital domain =
Overwhelming volume to
review by traditional means

32
Evolution: Keyword Search
Brute force search for exact, specific term
car
33
Evolution: Thesaurus search
Expansion of original term, but still applied as a brute force search
car
automobile
auto
motorcar
34
Evolution: Hyper-Thesaurus search
Expands to troponyms, hypo/hypernyms, meronyms, entailments, slang, etc
automobile
auto
motorcar
tire
engine
hood
chrome
headlights
car
vehicle
garage
freeway
parking lot
ride
hotrod
clunker
beamer
Mustang
Ford
A8
Chevy
35
Evolution: Concept Searching
Performs true latent semantic analysis machine learning of text to do
find more like this searches


To: Vendor
From: Employee
---------------------------------------------
Thank you for the gift it looks
great in my driveway! I cant wait
to take it out on the open road. I
promise I wont tell anyone where
it came from.

Documents
related to
topic
Emails
related to
topic
36
Evolution: Predictive Coding
Uses concept search technology but incorporates statistical predictions of
relevance based on observation of & interaction with, the user
Senior attorney codes an initial sample set as relevant or not
Artificial Intelligence learns from this set & presents another
Iterations continue until predictions match reality
Alternative approach AI watches reviewers as they code
documents & learns from them, then begins presenting
predicted relevant documents


37
Issues
Courts still largely undecided its a legal minefield
Works best on documents rich in text (email, word processing,
PDFs, etc.) it doesnt on spreadsheets, databases & others
Multi-lingual data sets can cause strange results
Our experience has shown it to struggle with jargon,
abbreviations, innuendo, sarcasm, slang & effect of emoticons
Can only predict relevance based on what you teach it it
doesnt have a crystal ball


38
Best Uses
In litigation, only in large cases & by agreement of both parties
& consent of the court
Early case assessment (ECA) to rapidly identify relevant material
or to cull down corpus to a more manageable size
Post-review quality control helps answer What did we miss?
Forensic investigations as a supplement to traditional
computer forensics & data mining efforts

39
Summary
40
James A. Snyder J.D., CFE | Managing Partner | 816.701.0260 | jsnyder@bkd.com
Tom Haldiman CPA, CFE | Supervising Consultant | 816.221.6300 | thaldiman@bkd.com
BKD Forensics Institute Upcoming Schedule
Deciphering Financial Statements: Tips & Tricks for Attorneys
o Wednesday, November 7, 2012
o 11:30 a.m. 12:30 p.m. CST
o Presented by Jeff Roberts, CPA, CFE, CFF

Data Visualization: Taking Your Analytics from Blah to Bam!
o Wednesday, November 14, 2012
o 11:30 a.m. 12:30 p.m. CST
o Presented by Jeremy Clopton, CPA, ACDA, CFE
bkd.com/fi

42
Starbucks Gift Card & Certificate
To help promote the event as an associate training
tool, we are offering a bonus
o Associates who attend all three sessions will receive a
Starbucks gift card & Certificate of Participation from BKD

43
Slides & Webinar Archive
Todays presentation slides are available at
bkd.com/fi. A recorded copy of the webinar will be
available at the same location at the conclusion of
webinar series

If you have any questions, please contact
Dane Ryals @ dryals@bkd.com

Thank you for attending today


44