Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 6
Fraud Data Analytics for Shell Companies

Boards of directors, stockholders, management, and the professional standards are expecting auditors to respond to risk of fraud in core business systems. Within a company's accounts payable file, shell companies are being used to steal millions of dollars from companies or the shell company is used to conceal bribe payments that violate anti‐bribery laws. The purpose of this chapter is to explain our methodology and experiences in detecting shell companies within the fraud audit.

In your customer database, internal employees have set up shell companies to sell to themselves at large discounts. We call this a front customer scheme. Internal employee then sells the goods to your customers at a markup. The internal employee then skims off the profit. In your vendor database, internal employees have created shell companies to misappropriate company funds or management has created a shell company to conceal the payment of bribes. In payroll, the internal employee has created the proverbial ghost employee.

The fraud scenario approach to uncovering fraud in core business systems recognizes that every secondary category of the fraud risk structure has one or more inherent fraud schemes. Every fraud scheme has two parts—an entity and a fraudulent action statement. This chapter will discuss fraud data analytics to search for the entity structure of the inherent scheme. In particular, this chapter will discuss fraud data analytics for locating the shell company. Starting with the homogeneous data concept, Figure 6.1 illustrates the concept of three groups of shell companies.

Image described by caption and surrounding text. — Figure 6.1 Categories of Shell Companies

From a fraud data analytics perspective, there are three homogeneous categories of shell companies. A fourth category is a subset of the first three. The shell company describes the vendor or customer. How the list relates to employees will be discussed in Chapter 8.

Category one: The traditional shell company
1. The traditional shell company is an entity that is created by the internal or external person to perpetrate the fraud action statement. The following list provides examples of the permutations:
  - Stand‐alone company legally created.
  - Stand‐alone nonlegally created, a DBA filed in the county of record.
  - Pass‐through stand‐alone company created by an internal source.
  - Pass‐through stand‐alone company created by salesperson at real company.
  - False minority entity in the USA.
  - False government preferred entity outside the USA.
  - For a more sophisticated perpetrator, there are companies that sell legal shell entities. The company was legally created many years ago and has been dormant. The incorporation date provided the illusion that the company has been in business for years.
Category two: The assumed entity shell company
1. The assumed entity is a real company where the perpetrator takes over the identity by changing the address, banking information, telephone number, or email addresses. The assumed entity is similar to the real entity that is not complicit. However, the key difference is that the assumed entity did not process the transaction, whereas the real entity that was not complicit did process the transaction through their books and records.
2. Assume the identity of dormant vendor or customer.
3. Temporarily assume identity of the same active vendor or customer.
4. Temporarily assume identity of the random active vendor or customer.
5. For a more sophisticated perpetrator, assume a real vendor or customer's identity that is not in the master file and the perpetrator causes real vendor or customer to be added to master file.
Category three: The hidden entity shell company
1. In the hidden entity shell there are a minimum of two companies in your database that have a common ownership. The purpose of the hidden entity is typically to circumvent dollar control levels. The companies usually have different names but may have a common identifier. The primary test is to search for duplicate master file data: addresses, bank accounts, telephone numbers, and email accounts.
2. Other purposes of the hidden entity are to function as a subcontractor, create false bids, meet government quotas for preferred vendors, or whatever scheme the perpetrator needs two or more organizations. On the revenue side, bad‐debt customers place orders under a new name; customers reaching a credit limit may create a second organization to avoid control levels.
3. The hidden entity scheme is a real company operating under two or more numbers or names. The companies may be two real standalone companies with a common ownership or two or more companies that operate under one roof.
4. The hidden entity scheme may also be a shell company where the sole purpose of the second company is to create the illusion of a second company for whatever purpose.
5. Hidden entity using a variation of a real company's name; however, unlike the other hidden entity schemes there is only one entity in your master file; the real entity is not involved and the duplicate test will not reveal the permutation.
6. Real vendor with multivendor numbers. For some reason, it is very common to find the same vendor or customer in your database two or more times. When a real company has two or more numbers it creates opportunities that should not exist with good master file internal controls.
Category four: The limited‐use shell company
1. The limited‐use shell company is a subset of categories one, two, and three. The only difference is the frequency that the shell company is used in the fraud scenario.
2. One‐time use of a shell company. Many companies' procedures for one‐time payments are not as robust as the internal control procedures for a permanent company.
3. Temporary use of a shell company. The perpetrator processes a few transactions through the entity to stay below the control radar before moving on to a different entity. In one fraud audit project, the perpetrator using the one‐time payment procedure would submit one invoice under a company name, then another company name,when in fact the companies did not legally exist. The fraud scenario was committed over a two‐year period.

What Is a Shell Company?

A shell corporation is a legally created entity that has no active business or is to conceal the true identity of the real company operating through a shell company. In essence, a shell corporation exists mainly on paper, has no physical presence, employs no one, and produces nothing. Within more sophisticated concealment strategies the perpetrators may employ the use of an office or employees to provide the illusion of a legitimate business entity. Shell corporations are frequently used to shield identities and/or to hide money in cases of money laundering, bankruptcy, bribery, and fraudulent conveyances. Scandals range from thousands to millions of dollars and always result in embarrassing moments for the corporation and management. Shell companies are called different names in different industries and different continents. Common names are paper company, fictitious company, nominee company, front company, dummy corporations, and numbered companies. Shell companies can also occur in nonlegally created companies, meaning in name only.

From an internal perspective of asset misappropriation in category one, the shell company is used for false billing schemes or a pass‐through scheme, which is discussed in Chapter 7. In category two, the assumed identity shell companies are also used for false billing and pass‐through schemes. Category three shell companies are used to circumvent payment internal controls and procurement internal controls. Category four shell companies are used in asset misappropriation schemes and internal control avoidance. All four categories are also associated with corruption schemes.

Shell companies are also used in financial statement fraud scheme where management is recording false revenue or transferring liabilities. The data analytics for shell customer is the same as the data analytics for shell vendor, except the data profile would need to be tailored for attributes associated with a customer versus a vendor.

What Is a Conflict‐of‐Interest Company?

The conflict‐of‐interest entity is a legally created company and provides the services or goods as described on the invoice. The conflict of interest is based on an undisclosed legal or beneficial ownership of the company. In Chapter 8, we will discuss conflict of interest in the purchase decision. The conflict‐of‐interest entity may operate as a shell company or as a real company with an undisclosed legal or beneficial ownership conflict‐of‐interest company. In first situation, the conflict of interest may have only one customer. In the second situation, the conflict‐of‐interest entity is in the business of providing services to the entire business community.

What Is a Real Company?

I know this sounds silly, but there are two types of real companies. The first type is a real company that is complicit with the fraud action statement. The second type is a real company that processed the transaction through their books and records but was not complicit with the fraud action statement.

Fraud Data Analytics Plan for Shell Companies

The plan starts with recognizing the homogeneous grouping of companies in the vendor master file or the customer master file. Using disaggregated analysis the fraud data analytics plan recognizes the subcategories within the homogeneous group of shell companies. The fraud sophistication concealment theory understands that at the low level the analysis of the master file should disclose the false entity, whereas, as the sophistication rises to medium to high, the ability to identify shell companies diminishes. The medium to high levels require the analysis of the transactions that link to the entity structure. At the high level, the search will start with the transactions and link back to the entities that have the transaction anomaly.

Fraud Data Analytics for the Traditional Shell Company

The search for the shell company starts with the specific identification strategy. We use the matching search routines, missing search routines, and the data anomaly testing. The matching test is comparison of two databases for a match. The most common test is the vendor database to the employee database. However, the same test should be performed for employee and customer database.

The matching test is highly effective because the match provides direct evidence of the linkage between the two entities. The matching should focus on address, bank account, telephone number, government identification number, and email address. The matching test is effective for low‐sophistication concealment but loses its effectiveness when the perpetrator ensures that the two entities have different identities. Figure 6.2 illustrates the impact that concealment theory has on the address field when using the matching test.

The missing analysis is an inference analysis that suggests that missing information is an indicator of someone with something to hide. The missing analysis should focus on address, bank account, telephone number, government identification number, and email address. It is the weight of all the missing information versus the lack of one element.

The anomaly testing uses the data in the master file to identify attributes associated with a shell company (e.g., P.O. box) or compares data for illogical data patterns (e.g., vendor has no address or bank account in the master file). The types of anomalies are:

Addresses that match to mailbox service companies or mailbox forwarding companies.
Email addresses that use public email addresses—such as Gmail or Hotmail.
Time and date the entity was added to the master file.
Lacks both an address and a bank account number.
Company names that only contain initials.

The person committing the scenario must be considered in designing the data interrogation routine for traditional shell companies. When the person creating the shell company has direct access to the master file, then the internal control avoidance strategy of searching for off‐period updates is a critical test. If the fraud scenario involves a department manager, then the off‐period analysis is not a valid routine. Unless the fraud scenario involves collusion with the direct input function, then the off‐period analysis should also be considered.

Fraud Data Analytics for the Assumed Entity Shell Company

The assumed entity shell focuses on the change analysis. The key fields for vendors are address or bank account, because your company either electronically transfers the payment or mails the payment. For customer shell companies, the address tends to be critical due to the shipment of inventory. Other fields may also be changed to control the flow of information: telephone number, email address, and contact person name.

In change analysis we must consider both temporary and permanent change analysis. In the temporary change, someone is taking over the identity and processing one transaction and then changing the identity information back to the original data. The key is to search for a frequency of change by the internal person who has the ability to change the data. In permanent change, the first step is to identify entities with a change to address or bank account. Then attach the transactional history for anomalies in the transactional history.

If the company maintains a change file, the fraud data analysis is a matter of summarizing the change file by type of change for the permanent changes. If the change is a temporary change, then there should be two changes for the entity number. If no change file is maintained, then the analysis must compare two master files. The comparisons should be the first master file at the beginning of the scope period and the last master file at the end of the scope period. This analysis is not effective for the temporary change. In that case, the analysis would need to focus on the transaction file. To illustrate the concept of using the transaction file:

Using false customer refunds for dormant customers with a credit balance, the fraud data analytics plan would search the payment table for duplicate addresses with different customer names.

In the vendor file involving false invoices, the fraud data analytics plan would search the payment table for a vendor number having payments going to two or more addresses or bank accounts. The key in both data elements is using the payment table.

In the rare cases where a perpetrator takes over the identity of a real company that is not on the master file and is not complicit in the fraud scheme, the data interrogation would use the missing or data anomaly testing. The key difference would be in the audit testing. The address in the master file would not match the address of the real not‐complicit vendor.

Fraud Data Analytics for the Hidden Entity Shell Company

The hidden entity focuses on the duplicate test because the shell company is operating under two or more different names or operating under the same name but different vendor or customer numbers. The hidden entity shell company might be two or more legal entities or one legal entity operating under different names. The duplicate analysis would first focus on address, bank account number, telephone number, government issued number, contact person, or email address. The hidden entity typically correlates to the same general ledger accounts or the same budget owner.

The use of fuzzy logic on name fields is also useful. Once the fuzzy logic identifies a match on names, the second analysis should use the duplicate testing or go directly to the transaction testing.

Fraud Data Analytics for the Limited‐Use Shell Company

Typically, companies have codes or numbers to tag one‐time vendors. In one company, all one‐time payment vendors had the same vendor number. In another company, the company assigned all temporary vendors with a vendor number starting with nine. The key is to understand how your company tags one‐time vendors. The first report for one‐time vendors is an aggregate dollar and a record count analysis to determine the dollar materiality and frequency of use. The second level of analysis is anomalies in the transactional data.

Linkage of Identified Entities to Transactional Data File

Within the shell company fraud data analytics an exact match to the payroll database or an exact duplicate match by itself is sufficient to cause the auditor to select the entity for fraud testing. However, linking the transactions to the entity number is the convincing piece of information.

Let's assume we perform a duplicate address test in the vendor master file. We identify two vendors with a duplicate address and two different names. As a general rule, once your shell company testing has identified an entity of interest, attach the transactional history to the vendor or customer number and summarize the activity by dollar and record count. Let's look at two different situations:

Vendor one has a spend level of $1 million and vendor two has a zero spend level. Obviously, there is no current fraud risk when the vendor spend level is zero.
Vendor one has a spend level of $1 million and vendor two has a spend level of $750,000. The transactional history should be analyzed for duplicate transaction history or transactional anomalies—that is, the $750,000 invoice number pattern is a sequential pattern.

Fraud Data Analytics Scoring Sheet

The scoring sheet is a valuable tool in analyzing entities or transactions for the red flags associated with the fraud scenario. It is based on the totality of the red flags associated with the fraud data analytics plan versus one red flag. Seldom is there one red flag which is strong enough to suggest that a fraud scenario is occurring in a core business system.

The scoring sheet should weight each red flag on a score of one, two, and three. The evidence of the red flag would cause a score for the red flag. The scoring sheet would then total all of the red flags. The higher the score, the more persuasive the evidence is for sample selection purposes.

Impact of Fraud Concealment Sophistication Shell Companies

In Chapter 3, we discussed the three levels of concealment. The level of sophistication has a direct impact on the type of data interrogation routine, as described in this section.

The exception to the rule is the assumed entity shell company. Impact of fraud concealment sophistication shell companies operating as an assumed identity is not critical on the fraud data analysis routine. In the permanent takeover, the change to the critical field causes the sample selection. In the temporary takeover, it is the pattern and frequency of the event linked to a person that should cause the sample selection. Yes, the data field can have the same sophistication in hiding the entity, but the change to the critical field causes the sample selection.

Low Sophistication and Internal Perpetrator

There is a direct linkage between the perpetrator identity and the shell company identity. The fraud data analytics should compare the employee database to the vendor or customer database using the specific identification strategy using an exact match. Using the address field, the match would occur on street, city, state, and postal code.

Low sophistication should always start with exact match because of the simplicity of designing the test. If the exact match test does not provide a sample, then consideration should be provided to using the close or related match testing. The close match may focus on the postal code or the area code of a telephone number. The related match may identify all entities within a radius of the corporate office using the postal code field.

Medium Sophistication and Internal Perpetrator

There is a limited linkage between the perpetrator and the shell company. Some aspect of the identity will match; however, the matching information by itself is not sufficient to cause a sample selection. That is, the vendor and employee use the same bank but have different bank account numbers or the vendor and employee have the same city, state, and Zip Code but have a different street address. When the fraud data analytics is focusing on a specific person, there may be sufficient linkage for a sample selection at the medium sophistication.

To illustrate data interrogation at the medium level, there is an allegation that someone in the accounts payable function has created a shell company. The employee payroll records indicate that the employee has direct deposit at bank XYZ. The human resource records also indicate a start date of April 1, 2016. The fraud data analysis plan then would identify all vendors using bank XYZ that were added to the master file on or after the employee start date.

High Sophistication and Internal Perpetrator

There is no linkage between the perpetrator and the shell company. The use of the matching technique does not work. The fraud data analytics plan should focus on the fraudulent action statement and then link back to the entity structure.

Low Sophistication and External Perpetrator Permutation

This is either a hidden entity or a pass‐through scheme. Pass‐through fraudulent action is discussed in Chapter 7. Fraud data analytics should compare vendors to vendors, customers to customers, or vendor and customer using the exact match. If exact match is not successful, then the close match or related match should be considered.

Medium Sophistication and External Perpetrator

This is similar to the medium sophistication and internal perpetrator fraud data analysis.

High Sophistication and External Perpetrator

This is similar to the high sophistication and internal perpetrator fraud data analysis.

Building the Fraud Data Profile for a Shell Company

The process of building a fraud data profile starts with identifying the data that links to the fraud scenario. Typically, this is the easy part of the process. The second step is to identify how the data element links to the fraud scenario. The third step is to describe the characteristics of the data in a manner that allows a fraud data interrogation routine to be developed. The last step is to program the search routine. I want to stress that step three is critical to designing the search routine.

My goal in this section is to illustrate the types of data red flags that the auditor could search for. In reality, the profile must be built for the company and country where the business is located. With a red flag test, there are always going to be exceptions. This is why the weight of all the red flags is more indicative of a fraud scenario versus one red flag. This is why the scoring sheet concept is so important.

To illustrate, in the email field, we will indicate that email addresses using a public email service versus a company designation is a red flag. Just before I started writing this book, I received an email from a prominent attorney who was using AOL as his email address. Hey, you never know.

Shell Company Profile Information

Name

Shell companies often have nondescriptive names. Nondescriptive names tend to have a limited number of alpha positions, and contain abbreviations or initials:

One search is to look for names with a limited number of consonants in the name. Obviously depending on where in the world the search is performed will impact the variable. In the United States we use five consonants. We strip out the “Inc.,” spaces, vowels, or special symbols and then count the alpha string.
Shell companies often use initials in the name. In this case, we strip out all the alpha and numeric positions and count the special symbols. Since abbreviations use periods, the count should focus on periods versus all special symbols.
In a second test for initials, we strip out the “Inc.,” spaces, vowels, or special symbols, and then count the alpha string.
From a data interpretation strategy, search for company names that are nondescriptive of what products or services the company provided. Publicly traded companies are generally not considered within this test.

Street Address

The street address field typically has two fields, street address one and street address two. Some databases have a physical address, a payment address, and salesperson contact information. Since address is a critical field in searching for shell companies, it is important that the auditor understand the categories of addresses that can be identified in the fraud data analytics:

Street address, which has a number and a street name.
P.O. box, which is either a bank lockbox or a postal address.
A public mailbox service company, such as UPS.
A private mailbox service company. These addresses are either a high profile address, such as Park Ave, NYC, or CPA firms that provide bookkeeping services for companies.
A mail forwarding address. To illustrate, Regus advertises that they have over 3,000 locations around the world that can function as a virtual office. A second company, My US, advertises they are the most trusted consolidation company in the world, operating in over 220 companies worldwide. USA2ME advertises that you can have all your USA mail sent to your USA2ME address and then have the mail forwarded to you. Mailbox Forwarding advertises that since your mailbox will be a real physical street address, not a PO box, you can receive mail and packages from carriers such as UPS and FedEx, use the address with financial institutions, and portray a more professional image. I am not questioning the business integrity of these companies but rather, pointing out how a physical address, street and number, may be a mail forwarding company. The first step with mailbox service companies or mailbox forwarding companies is to understand the address format used by the company. The second step is to identify all customers or vendors using that category of address.
Missing address is a test designed to search for shell companies in category one. In reality, vendor database address field might be blank because the vendor requires electronic payment. Government vendors' address fields often blank.
Duplicate address is a test designed to search for the hidden entity.
Anomaly—when the vendor address links to a public mailbox company, a private mailbox company, or a mail forwarding company. As a word of caution, small companies or companies operating from their home use these types of services.
Programming these search routine requires the fraud auditor to use creativity in building the search routines. The following are examples of using creativity to search for the address anomalies:
- Strip out all alpha, spaces, and special symbols and search for duplicate numeric strings in the vendor database or between payroll and vendor databases. In searching for duplicate numeric strings the Zip Code field should be linked to street number to minimize false positives.
- Mailbox forwarding companies often embed a customer number in the street address. Therefore, strip features on the address field from right to left. First, strip the numeric, then the alpha; this should leave a numeric string.

Country, City, State, and Postal Code

One belief is that the shell corporation would be within a radius of the corporation or within the state to avoid crossing state or country lines. We believe this is more likely with low‐ to medium‐sophistication perpetrators than high sophistication. The search routine could identify entities within the defined geographic location. The routine is enhanced when it can be linked to a person and a creation date.

Telephone Number

Shell corporations often use mobile lines when no physical office exists. Hidden entities may not want the expense of a second line. Salespeople know that their telephone number is their lifeline to their sales effort. The following tests are useful in the telephone number field:

Missing telephone number is indicative of a shell company because the perpetrator is trying to control the flow of information or the shell company does not have a telephone number.
Matching telephone number between payroll database and the vendor or customer database is indicative of a shell company.
Duplicate telephone number is indicative of the hidden entity or a pass‐through scheme involving a salesperson at a real company.

Bank Routing Number

Payments are transferred either by wire or address. The routing number can be used to correlate to prospective individuals. The theory is simple; the perpetrators are smart enough not to use their personal bank account but would use the same bank for their shell corporation bank account.

Missing—indicative of a shell company because the perpetrator is trying to avoid a match between the shell company and the perpetrator.
Matching testing—searching for a match between two different master files. The most common test is between vendor and employee. The test should also be performed between employee and customer to identify a pass‐through when a salesperson is committing a pass‐through scheme.
Duplicate testing—searching for duplicate bank account numbers in the master file.
Anomaly—an entity that has no address or bank account number. If the data analysis is focusing on a specific person, then identifying all vendors that use the same bank may be useful.

Government Registration Number

The government registration number is indicative of one company using different names or a hidden entity shell company. I should mention operating as a DBA is an acceptable process, although the DBA should be registered. The duplicate search routine would also detect the hidden entity.

Missing—the lack of government registration numbers is common in the USA because until recent years there was no need to collect the information. In Europe and other parts of the world, a missing government registration number would be a glaring red flag.
Matching—searching for a match between two different master files.
Duplicate—searching for a duplicate government registration number in the master file.
Anomaly—a partnership or corporation and the government registration number is in the format of an individual's government registration number.

Email Address

Almost everyone has at least one email address. Individuals may use their business email and their personal email. Personal emails are attached to a business.

Missing—the lack of an email address is not common and should be considered an important red flag.
Matching—searching for a match between two different master files.
Duplicate—searching for a duplicate email address in the master file.
Anomaly—a business using a public email system such as AOL or Gmail.

Create Date

Most fraud scenarios are disclosed within four years or less according to most fraud studies. The theory is simple: If the company has been active on the master file for greater than 48 months, then it would suggest the company is a real company. No, I would not give this a high rating, but it is a useful guide. Create dates on weekends and holidays are useful for off‐period analysis.

Create Time

This is useful for off‐period analysis. The search is for an entity created during nonbusiness hours, which is a red flag.

ID of Record Creator

There are two categories of individuals. The user ID that by job description is responsible for creating or changing entities, and individuals who may create an entity but this is not part of their normal duties. In the vendor master file, these duties are typically limited to a small group of individuals. In the customer master file, depending on the company and industry, the number of individuals that can create or change a customer master file can be large. The missing, matching, and duplicate test is generally not very useful on this data element. The importance of the data element is linking the event to a person and the search for individuals accessing the master file where that is not part of their normal job duties.

Shell Companies Operating as Customers

Shell companies are usually associated with vendors; however, shell companies can also be used to commit asset misappropriation schemes, discussed in Chapter 12, and financial statement fraud, discussed in Chapter 14. The same identifying information should be interrogated for shell customers using the same types of tests. In addition the credit code or credit amount should be included. For material financial statement fraud, the credit code would be high for a new customer. For asset misappropriation, the credit code will determine the amount of false invoices.

Shell Companies as Employees

Payroll shell companies are referred to as ghost employees. The category description of ghost employees is similar to the preceding categories; the categories' names need to be changed to employee names. Ghost employees are discussed in Chapter 11.

Fraud Audit Procedures to Identify the Shell Corporation

The primary purpose of this book is to explain a fraud data analytics methodology for fraud scenarios versus fraud auditing procedures to examine documents. However, understanding how the fraud links to the fraud data analytics is also critical. In this chapter, we will illustrate the type of evidence gathering procedures necessary to link to your fraud data analytics program.

Before reading, some will believe the procedures are audit related and some will believe the procedures are investigative. Just ask yourself the following question: Would your test of the new vendor procedures reveal a shell company? If not, continue reading. For those still undecided, consider the rules of audit evidence as it relates to qualitative evidence. The highest form of qualitative evidence is externally created and externally stored. The steps described in entity, legal, physical, business capacity, and reference checking fit that bill. One more example: In a financial audit of accounts receivable, auditors send confirmations, which is externally created and externally stored evidence. Remember, it makes no sense to identify a fraudulent transaction in your sample if your audit procedure cannot identify the fraud scenario.

The four entity verification procedures are: legal creation, physical location, business capacity, and reference checking. The first step in entity verification is to determine that the control procedures were adhered to in recording the entity into the business system. Identification of the people associated with establishing an entity structure must be performed for comparison purposes in future fraud audit procedures. The intent is not control testing, but the gathering of information to establish a basis for entity verification.

Entity Verification

The order of verification is: analyzing the legal existence, verifying physical existence, evaluating business capacity, and reference checking. The first three procedures can generally be performed in a covert manner; however, reference checking tends to be overt, and so the procedure is generally performed last.

Verify Legal Existence

Government registration. All entities have a legal registration. Employees have birth records and corporations have registration requirements with an applicable government office. The first step is to establish whether the entity is legally created, then gather identifying information that can eventually be linked to other pertinent information. Names of registrars; officers' addresses; and dates related to entity creation, dissolutions, or changes tend to be the critical information. In one case, the name on a government registration document matched a name on a packing slip for a shell company. This was the first red flag that eventually led to a three‐million‐dollar pass‐through fraud scheme.
Government registration date. Compare the government registration date to the date of the first business transactions. For vendor invoices, compare the first invoice date to the government registration date.
Trade associations. When an entity is a member of a trade association, a business's membership provides evidence that the entity is a real one or provides a lead to the true ownership. The failure of the business to be a member of any logical trade group is a red flag because most real companies belong to at least one trade organization.
Use of Internet search companies such as Lexus Nexus, which gathers public record information that is made accessible to clients. A search of a company on Lexus Nexus can find if any public records exist on the company and what types of records they are.
Conclusion: The Company is legally created. We are looking for a linkage on the government database to internal employees, linkage to known vendors, or the absence of identifying information. We are also focusing on dates, addresses, and formation companies.

Verify Physical Existence

Telephone verification. By contacting the entity, you verify physical existence by the mere fact of the call being answered. Then it becomes a question of how the call is answered. How the call is answered is part of the evidence associated with the audit judgment of whether the entity is real or false. By calling, the possible outcomes are: the telephone is disconnected; someone answers in the name of a different entity; or someone answers in the name of the entity in question. Interview skills are the critical skill to ensure the success of the procedure. Here a few practical tips:
- Use a telephone in the area code of the company you are auditing. Area codes from out of the area may create a suspicion of why you are calling.
- Be prepared to provide an explanation as to why you are calling. Possible explanations are updating records, resolving internal problems, or tracking down misplaced original documents. Try not to raise suspicion at this stage of the audit.
- Have the documents readily available to ask questions or provide answers.
- Avoid calling multiple times, as a second telephone call raises suspicions.
- Remember, the entity you are calling may have Caller ID. Therefore, do not indicate that you are someone other than the person associated with the number identified.
- The manner in which a call is answered must be consistent with the anticipated business size.
Internet search engines like Google can determine what physical structure is located at the known address, and whether the address is consistent with the entity structure. Often, the created entity scheme will use a personal residence address. Remember that many small businesses operate from the owner's personal residence, so, in this case, reference checking may be preferred in order to reveal that the entity does not conduct business.
Site visit. By visiting the site, it can be determined what physical structure is located at the known address, and whether the address is consistent with the entity structure. Private detectives often will perform the procedure for a nominal charge, so the use of one may be useful for verifying entities that are not located in your geographic area. A significant international fraud was revealed by visiting the physical location, which determined that the business was a beverage store versus an international food brokering company.
Public records can determine whether a government or business recognizes the entity as a real entity, and that the address is recognized by other entities. A legal instrument filed by banks securing a loan indicates that the bank believes the entity is real. The loan instrument may provide clues that link to the perpetrator.
The IRS website can provide federal identification verification, which will determine whether the federal identification number or Social Security number matches the name associated with the ID number. In many parts of the world, corporations will have a VAT number, which can be confirmed with a government ministry and provide a source of data intelligence.
The Internet has extensive databases and search engines to gather information. At the simplest level, Google is an excellent starting point. At the advanced level, there are research companies that have made an art of how to navigate the Internet.
Conclusion: Is the known physical location of the business consistent with the business on the vendor invoice?

Business Capacity Test

Proof of insurance. Real companies tend to have insurance. The fraud testing procedure would consist of a request of the certificate of insurance. Fortunately, such a request is a normal control procedure in many companies, but for fraud audit purposes, the need is to examine the certificate to note the date of coverage and types of coverage. The lack of workers' compensation might indicate that the company has no employees. Caution: Workers' compensation can be purchased through payroll companies.
Employees. A company telephone directory provides evidence that the company has employees. By calling the company, you are often referred to the company telephone directory when you do not know an employee's extension. The lack of a telephone directory might be a clue.
A public record filed by a bank or a financing company can indicate a lien has been filed against the described asset. It also indicates that the bank recognizes the entity as a real company.
Shipping documents, such as a bill of lading, indicate the source of the shipment, therefore providing the name of the company that shipped the goods.
Vendor invoices. What software produced the document? Was it Excel or consistent with a known database accounting software? Is the product description consistent with industry standards as to sku numbers or alpha descriptions?
Websites. If a company has a website, does such a site provide matching information about the businesses and services offered? An examination of a website determined that the goods purchased from the company were not consistent with the website, revealing a real company involved in a pass‐through scheme with an internal employee.
Conclusion: We believe the business capacity test is the most important analysis. The determination is simple: Does the company listed on the invoice have the capacity to provide the goods or services listed on the invoice?

Reference Checking

Professional associations. Is the entity recognized by a trade association? Such organizations can also provide useful information on trade practice and trends, which in turn can be used to corroborate representations made by individuals.
Competitors. Contact competitors to establish that the entity conducts business consistent with the goods and services described on the invoice. Competitors may also provide other information regarding ownership and business conflicts.
Media searches. Information published regarding the entity may provide names, services, and legal actions regarding the entity. Advertisements by the entity would suggest the existence of the entity and describe the type of services provided by the entity.
Conclusion: Is the business known by the industry?

Summary of Intelligence Information Regarding Shell Companies

The legal, physical, business capacity, and reference checking provides a sound methodology for gathering evidence that an entity is a shell company versus a real company. The process is not one‐dimensional, but rather a process of collecting and analyzing information that correlates to the fraud scenario. The identification of red flags in both the entity structure and the transactional data provides the auditor with sufficient circumstantial evidence to recommend an investigation process through the legal system.

Summary

Shell companies are widely used by people who want to steal company assets, ranging from internal persons to organized crime groups. Management may create a shell company as a way to disguise bribe payments. Banks search for shell companies in their AML programs. From a fraud data analytics perspective, once a shell company is found, there is no question that someone is committing a fraudulent act. As a personal recommendation, I suggest starting your fraud data analytics journey with the search for shell companies. By using the fraud data analytics methodology on something as simple to understand as shell companies, the fraud auditor will improve the art form of the methodology.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 6: Fraud Data Analytics for Shell Companies

Create new playlist

Sign In

Sign Up