Boards of directors, stockholders, management, and the professional standards are expecting auditors to respond to risk of fraud in core business systems. Within a company's accounts payable file, shell companies are being used to steal millions of dollars from companies or the shell company is used to conceal bribe payments that violate anti‐bribery laws. The purpose of this chapter is to explain our methodology and experiences in detecting shell companies within the fraud audit.
In your customer database, internal employees have set up shell companies to sell to themselves at large discounts. We call this a front customer scheme. Internal employee then sells the goods to your customers at a markup. The internal employee then skims off the profit. In your vendor database, internal employees have created shell companies to misappropriate company funds or management has created a shell company to conceal the payment of bribes. In payroll, the internal employee has created the proverbial ghost employee.
The fraud scenario approach to uncovering fraud in core business systems recognizes that every secondary category of the fraud risk structure has one or more inherent fraud schemes. Every fraud scheme has two parts—an entity and a fraudulent action statement. This chapter will discuss fraud data analytics to search for the entity structure of the inherent scheme. In particular, this chapter will discuss fraud data analytics for locating the shell company. Starting with the homogeneous data concept, Figure 6.1 illustrates the concept of three groups of shell companies.
From a fraud data analytics perspective, there are three homogeneous categories of shell companies. A fourth category is a subset of the first three. The shell company describes the vendor or customer. How the list relates to employees will be discussed in Chapter 8.
A shell corporation is a legally created entity that has no active business or is to conceal the true identity of the real company operating through a shell company. In essence, a shell corporation exists mainly on paper, has no physical presence, employs no one, and produces nothing. Within more sophisticated concealment strategies the perpetrators may employ the use of an office or employees to provide the illusion of a legitimate business entity. Shell corporations are frequently used to shield identities and/or to hide money in cases of money laundering, bankruptcy, bribery, and fraudulent conveyances. Scandals range from thousands to millions of dollars and always result in embarrassing moments for the corporation and management. Shell companies are called different names in different industries and different continents. Common names are paper company, fictitious company, nominee company, front company, dummy corporations, and numbered companies. Shell companies can also occur in nonlegally created companies, meaning in name only.
From an internal perspective of asset misappropriation in category one, the shell company is used for false billing schemes or a pass‐through scheme, which is discussed in Chapter 7. In category two, the assumed identity shell companies are also used for false billing and pass‐through schemes. Category three shell companies are used to circumvent payment internal controls and procurement internal controls. Category four shell companies are used in asset misappropriation schemes and internal control avoidance. All four categories are also associated with corruption schemes.
Shell companies are also used in financial statement fraud scheme where management is recording false revenue or transferring liabilities. The data analytics for shell customer is the same as the data analytics for shell vendor, except the data profile would need to be tailored for attributes associated with a customer versus a vendor.
The conflict‐of‐interest entity is a legally created company and provides the services or goods as described on the invoice. The conflict of interest is based on an undisclosed legal or beneficial ownership of the company. In Chapter 8, we will discuss conflict of interest in the purchase decision. The conflict‐of‐interest entity may operate as a shell company or as a real company with an undisclosed legal or beneficial ownership conflict‐of‐interest company. In first situation, the conflict of interest may have only one customer. In the second situation, the conflict‐of‐interest entity is in the business of providing services to the entire business community.
I know this sounds silly, but there are two types of real companies. The first type is a real company that is complicit with the fraud action statement. The second type is a real company that processed the transaction through their books and records but was not complicit with the fraud action statement.
The plan starts with recognizing the homogeneous grouping of companies in the vendor master file or the customer master file. Using disaggregated analysis the fraud data analytics plan recognizes the subcategories within the homogeneous group of shell companies. The fraud sophistication concealment theory understands that at the low level the analysis of the master file should disclose the false entity, whereas, as the sophistication rises to medium to high, the ability to identify shell companies diminishes. The medium to high levels require the analysis of the transactions that link to the entity structure. At the high level, the search will start with the transactions and link back to the entities that have the transaction anomaly.
The search for the shell company starts with the specific identification strategy. We use the matching search routines, missing search routines, and the data anomaly testing. The matching test is comparison of two databases for a match. The most common test is the vendor database to the employee database. However, the same test should be performed for employee and customer database.
The matching test is highly effective because the match provides direct evidence of the linkage between the two entities. The matching should focus on address, bank account, telephone number, government identification number, and email address. The matching test is effective for low‐sophistication concealment but loses its effectiveness when the perpetrator ensures that the two entities have different identities. Figure 6.2 illustrates the impact that concealment theory has on the address field when using the matching test.
The missing analysis is an inference analysis that suggests that missing information is an indicator of someone with something to hide. The missing analysis should focus on address, bank account, telephone number, government identification number, and email address. It is the weight of all the missing information versus the lack of one element.
The anomaly testing uses the data in the master file to identify attributes associated with a shell company (e.g., P.O. box) or compares data for illogical data patterns (e.g., vendor has no address or bank account in the master file). The types of anomalies are:
The person committing the scenario must be considered in designing the data interrogation routine for traditional shell companies. When the person creating the shell company has direct access to the master file, then the internal control avoidance strategy of searching for off‐period updates is a critical test. If the fraud scenario involves a department manager, then the off‐period analysis is not a valid routine. Unless the fraud scenario involves collusion with the direct input function, then the off‐period analysis should also be considered.
The assumed entity shell focuses on the change analysis. The key fields for vendors are address or bank account, because your company either electronically transfers the payment or mails the payment. For customer shell companies, the address tends to be critical due to the shipment of inventory. Other fields may also be changed to control the flow of information: telephone number, email address, and contact person name.
In change analysis we must consider both temporary and permanent change analysis. In the temporary change, someone is taking over the identity and processing one transaction and then changing the identity information back to the original data. The key is to search for a frequency of change by the internal person who has the ability to change the data. In permanent change, the first step is to identify entities with a change to address or bank account. Then attach the transactional history for anomalies in the transactional history.
If the company maintains a change file, the fraud data analysis is a matter of summarizing the change file by type of change for the permanent changes. If the change is a temporary change, then there should be two changes for the entity number. If no change file is maintained, then the analysis must compare two master files. The comparisons should be the first master file at the beginning of the scope period and the last master file at the end of the scope period. This analysis is not effective for the temporary change. In that case, the analysis would need to focus on the transaction file. To illustrate the concept of using the transaction file:
Using false customer refunds for dormant customers with a credit balance, the fraud data analytics plan would search the payment table for duplicate addresses with different customer names.
In the vendor file involving false invoices, the fraud data analytics plan would search the payment table for a vendor number having payments going to two or more addresses or bank accounts. The key in both data elements is using the payment table.
In the rare cases where a perpetrator takes over the identity of a real company that is not on the master file and is not complicit in the fraud scheme, the data interrogation would use the missing or data anomaly testing. The key difference would be in the audit testing. The address in the master file would not match the address of the real not‐complicit vendor.
The hidden entity focuses on the duplicate test because the shell company is operating under two or more different names or operating under the same name but different vendor or customer numbers. The hidden entity shell company might be two or more legal entities or one legal entity operating under different names. The duplicate analysis would first focus on address, bank account number, telephone number, government issued number, contact person, or email address. The hidden entity typically correlates to the same general ledger accounts or the same budget owner.
The use of fuzzy logic on name fields is also useful. Once the fuzzy logic identifies a match on names, the second analysis should use the duplicate testing or go directly to the transaction testing.
Typically, companies have codes or numbers to tag one‐time vendors. In one company, all one‐time payment vendors had the same vendor number. In another company, the company assigned all temporary vendors with a vendor number starting with nine. The key is to understand how your company tags one‐time vendors. The first report for one‐time vendors is an aggregate dollar and a record count analysis to determine the dollar materiality and frequency of use. The second level of analysis is anomalies in the transactional data.
Within the shell company fraud data analytics an exact match to the payroll database or an exact duplicate match by itself is sufficient to cause the auditor to select the entity for fraud testing. However, linking the transactions to the entity number is the convincing piece of information.
Let's assume we perform a duplicate address test in the vendor master file. We identify two vendors with a duplicate address and two different names. As a general rule, once your shell company testing has identified an entity of interest, attach the transactional history to the vendor or customer number and summarize the activity by dollar and record count. Let's look at two different situations:
The scoring sheet is a valuable tool in analyzing entities or transactions for the red flags associated with the fraud scenario. It is based on the totality of the red flags associated with the fraud data analytics plan versus one red flag. Seldom is there one red flag which is strong enough to suggest that a fraud scenario is occurring in a core business system.
The scoring sheet should weight each red flag on a score of one, two, and three. The evidence of the red flag would cause a score for the red flag. The scoring sheet would then total all of the red flags. The higher the score, the more persuasive the evidence is for sample selection purposes.
In Chapter 3, we discussed the three levels of concealment. The level of sophistication has a direct impact on the type of data interrogation routine, as described in this section.
The exception to the rule is the assumed entity shell company. Impact of fraud concealment sophistication shell companies operating as an assumed identity is not critical on the fraud data analysis routine. In the permanent takeover, the change to the critical field causes the sample selection. In the temporary takeover, it is the pattern and frequency of the event linked to a person that should cause the sample selection. Yes, the data field can have the same sophistication in hiding the entity, but the change to the critical field causes the sample selection.
There is a direct linkage between the perpetrator identity and the shell company identity. The fraud data analytics should compare the employee database to the vendor or customer database using the specific identification strategy using an exact match. Using the address field, the match would occur on street, city, state, and postal code.
Low sophistication should always start with exact match because of the simplicity of designing the test. If the exact match test does not provide a sample, then consideration should be provided to using the close or related match testing. The close match may focus on the postal code or the area code of a telephone number. The related match may identify all entities within a radius of the corporate office using the postal code field.
There is a limited linkage between the perpetrator and the shell company. Some aspect of the identity will match; however, the matching information by itself is not sufficient to cause a sample selection. That is, the vendor and employee use the same bank but have different bank account numbers or the vendor and employee have the same city, state, and Zip Code but have a different street address. When the fraud data analytics is focusing on a specific person, there may be sufficient linkage for a sample selection at the medium sophistication.
To illustrate data interrogation at the medium level, there is an allegation that someone in the accounts payable function has created a shell company. The employee payroll records indicate that the employee has direct deposit at bank XYZ. The human resource records also indicate a start date of April 1, 2016. The fraud data analysis plan then would identify all vendors using bank XYZ that were added to the master file on or after the employee start date.
There is no linkage between the perpetrator and the shell company. The use of the matching technique does not work. The fraud data analytics plan should focus on the fraudulent action statement and then link back to the entity structure.
This is either a hidden entity or a pass‐through scheme. Pass‐through fraudulent action is discussed in Chapter 7. Fraud data analytics should compare vendors to vendors, customers to customers, or vendor and customer using the exact match. If exact match is not successful, then the close match or related match should be considered.
This is similar to the medium sophistication and internal perpetrator fraud data analysis.
This is similar to the high sophistication and internal perpetrator fraud data analysis.
The process of building a fraud data profile starts with identifying the data that links to the fraud scenario. Typically, this is the easy part of the process. The second step is to identify how the data element links to the fraud scenario. The third step is to describe the characteristics of the data in a manner that allows a fraud data interrogation routine to be developed. The last step is to program the search routine. I want to stress that step three is critical to designing the search routine.
My goal in this section is to illustrate the types of data red flags that the auditor could search for. In reality, the profile must be built for the company and country where the business is located. With a red flag test, there are always going to be exceptions. This is why the weight of all the red flags is more indicative of a fraud scenario versus one red flag. This is why the scoring sheet concept is so important.
To illustrate, in the email field, we will indicate that email addresses using a public email service versus a company designation is a red flag. Just before I started writing this book, I received an email from a prominent attorney who was using AOL as his email address. Hey, you never know.
Shell companies often have nondescriptive names. Nondescriptive names tend to have a limited number of alpha positions, and contain abbreviations or initials:
The street address field typically has two fields, street address one and street address two. Some databases have a physical address, a payment address, and salesperson contact information. Since address is a critical field in searching for shell companies, it is important that the auditor understand the categories of addresses that can be identified in the fraud data analytics:
One belief is that the shell corporation would be within a radius of the corporation or within the state to avoid crossing state or country lines. We believe this is more likely with low‐ to medium‐sophistication perpetrators than high sophistication. The search routine could identify entities within the defined geographic location. The routine is enhanced when it can be linked to a person and a creation date.
Shell corporations often use mobile lines when no physical office exists. Hidden entities may not want the expense of a second line. Salespeople know that their telephone number is their lifeline to their sales effort. The following tests are useful in the telephone number field:
Payments are transferred either by wire or address. The routing number can be used to correlate to prospective individuals. The theory is simple; the perpetrators are smart enough not to use their personal bank account but would use the same bank for their shell corporation bank account.
The government registration number is indicative of one company using different names or a hidden entity shell company. I should mention operating as a DBA is an acceptable process, although the DBA should be registered. The duplicate search routine would also detect the hidden entity.
Almost everyone has at least one email address. Individuals may use their business email and their personal email. Personal emails are attached to a business.
Most fraud scenarios are disclosed within four years or less according to most fraud studies. The theory is simple: If the company has been active on the master file for greater than 48 months, then it would suggest the company is a real company. No, I would not give this a high rating, but it is a useful guide. Create dates on weekends and holidays are useful for off‐period analysis.
This is useful for off‐period analysis. The search is for an entity created during nonbusiness hours, which is a red flag.
There are two categories of individuals. The user ID that by job description is responsible for creating or changing entities, and individuals who may create an entity but this is not part of their normal duties. In the vendor master file, these duties are typically limited to a small group of individuals. In the customer master file, depending on the company and industry, the number of individuals that can create or change a customer master file can be large. The missing, matching, and duplicate test is generally not very useful on this data element. The importance of the data element is linking the event to a person and the search for individuals accessing the master file where that is not part of their normal job duties.
Shell companies are usually associated with vendors; however, shell companies can also be used to commit asset misappropriation schemes, discussed in Chapter 12, and financial statement fraud, discussed in Chapter 14. The same identifying information should be interrogated for shell customers using the same types of tests. In addition the credit code or credit amount should be included. For material financial statement fraud, the credit code would be high for a new customer. For asset misappropriation, the credit code will determine the amount of false invoices.
Payroll shell companies are referred to as ghost employees. The category description of ghost employees is similar to the preceding categories; the categories' names need to be changed to employee names. Ghost employees are discussed in Chapter 11.
The primary purpose of this book is to explain a fraud data analytics methodology for fraud scenarios versus fraud auditing procedures to examine documents. However, understanding how the fraud links to the fraud data analytics is also critical. In this chapter, we will illustrate the type of evidence gathering procedures necessary to link to your fraud data analytics program.
Before reading, some will believe the procedures are audit related and some will believe the procedures are investigative. Just ask yourself the following question: Would your test of the new vendor procedures reveal a shell company? If not, continue reading. For those still undecided, consider the rules of audit evidence as it relates to qualitative evidence. The highest form of qualitative evidence is externally created and externally stored. The steps described in entity, legal, physical, business capacity, and reference checking fit that bill. One more example: In a financial audit of accounts receivable, auditors send confirmations, which is externally created and externally stored evidence. Remember, it makes no sense to identify a fraudulent transaction in your sample if your audit procedure cannot identify the fraud scenario.
The four entity verification procedures are: legal creation, physical location, business capacity, and reference checking. The first step in entity verification is to determine that the control procedures were adhered to in recording the entity into the business system. Identification of the people associated with establishing an entity structure must be performed for comparison purposes in future fraud audit procedures. The intent is not control testing, but the gathering of information to establish a basis for entity verification.
The order of verification is: analyzing the legal existence, verifying physical existence, evaluating business capacity, and reference checking. The first three procedures can generally be performed in a covert manner; however, reference checking tends to be overt, and so the procedure is generally performed last.
The legal, physical, business capacity, and reference checking provides a sound methodology for gathering evidence that an entity is a shell company versus a real company. The process is not one‐dimensional, but rather a process of collecting and analyzing information that correlates to the fraud scenario. The identification of red flags in both the entity structure and the transactional data provides the auditor with sufficient circumstantial evidence to recommend an investigation process through the legal system.
Shell companies are widely used by people who want to steal company assets, ranging from internal persons to organized crime groups. Management may create a shell company as a way to disguise bribe payments. Banks search for shell companies in their AML programs. From a fraud data analytics perspective, once a shell company is found, there is no question that someone is committing a fraudulent act. As a personal recommendation, I suggest starting your fraud data analytics journey with the search for shell companies. By using the fraud data analytics methodology on something as simple to understand as shell companies, the fraud auditor will improve the art form of the methodology.