A methodology for using data analytics and other techniques to detect shell entities.

Within a company's accounts payable file, shell companies are being used to steal millions of dollars from companies or to conceal bribery payments which violate anti-bribery and corruption laws. The purpose of this article is to explain our methodology and experiences in detecting shell companies without a lead or clue as where to look in a company's database.

What Is a Shell Corporation?
A shell corporation is a legally created entity that has no active business or an entity used to conceal the true identity of the real company operating through a shell company. In essence, a shell corporation exists mainly on paper, has no physical presence, employs no one, and produces nothing. Within more sophisticated concealment strategies the perpetrators may employ the use of an office or employees to provide the illusion of a legitimate business entity. Shell corporations are frequently used to shield identities or to hide money in cases of money laundering, bankruptcy, bribery, and fraudulent conveyances. Scandals range from thousands to millions of dollars and always result in embarrassing moments for the company and management.

Within this article, we will focus on how to locate shell companies in your accounts payable files. The focal points are:

  1. Understanding the inherent fraud scheme approach
  2. Calibrating the audit to the sophistication of concealment strategies
  3. Using fraud data analytics techniques to locate shell corporations
  4. Using fraud audit procedures to identify the shell corporation
  5. Providing a summary of intelligence regarding identified shell companies

Analyst MeetingUnderstanding the Inherent Fraud Scheme Approach
Fraud risk identification is a methodology to classify and identify fraud scenarios through a four-step classification system. The process is designed to clarify the scope of the fraud audit. The methodology starts with a primary classification, secondary classification, inherent scheme, and fraud scenario. Here, we'll focus on asset misappropriation, theft of monetary funds, the inherent scheme structure, and how to convert the inherent scheme into a company-specific scenario.

Using the logic of the inherent fraud scheme and understanding that there are a finite number of permutations of fraud scenarios, the internal auditor is able to build a fraud interrogation system to identify all permutations of shell companies. All inherent schemes have two aspects: the entity structure and the fraudulent action. Our fraud audit approach generally starts with the entity structure of the fraud scenario, often called master file data, and then focuses on the action component, often called transactional data.

False Entity Structure
The false entity is created by an internal employee or external party for the sole purpose of misappropriating company assets. For purpose of this paper we will focus on two permutations:

  • Vendors are either legally created or exist in name only or;
  • The perpetrator assumes the identity of a real vendor. The real vendor maybe a dormant vendor already on the master file or a real vendor which is not complicit in the fraud scheme. The takeover may occur on a permanent or temporary basis.
  • The key is to recognize that there is a finite list of permutations.

Fraudulent Action
The fraudulent action, or the transaction component of a business transaction, is either:

  • False billing: The payment for goods or services not delivered or provided. An illustration of one permutation of the inherent scheme is: A budget owner, acting alone or in collusion with a direct report, causes a shell company to be created and set up on the vendor master file. The budget owner then initiates a purchase order within their authorization levels and approves an invoice for false services causing the diversion of company funds.
  • Pass-through billing: The payment for goods or services that are provided. In this fraudulent action a real vendor provides goods or services to a shell company who in turn provides the goods or services to your organization with a markup on price. (The only function the shell corporation provides is a pass through of the goods or services.)

There are three primary variations of the pass-through action. 1. The action is committed solely by an internal employee. 2. The action is committed by an internal employee in collusion with a sales person from a real supplier. 3. The action is directed by a customer involving cost reimbursable contracts and a general contractor and a sub-contractor. We believe pass-through schemes are highly prevalent in many organizations.

The interesting aspect of the pass-through fraud is that the scenario provides the illusion of internal control compliance. The proverbial three match.
An illustration of one permutation of the inherent scheme is: A budget owner acting alone or in collusion with a direct report causes a shell company to be set up on the master file, places orders for goods or services through the shell company, the shell company places an order with a real supplier, the real supplier ships directly to the budget owner's company, the real supplier invoices the shell company, and the shell company invoices the budget owner's company at an inflated price causing the diversion of company funds.

A key element of the approach is to recognize the different fraud scenarios, which becomes the basis of the audit plan to locate and identify a shell corporation. There must be a specific plan for each scenario. Yes, there will be overlap. However, it is critical to go through the thought process for each scenario.

Calibrating the Audit to the Sophistication of Concealment Strategies
Fraud concealment involves the strategies used by the perpetrator of the fraud scenario to conceal the true intent of the transaction. Common concealment strategies are: false documents, false representations, false approvals, avoiding or circumventing control levels, internal control inhibitors, blocking the access to information, geographic distance between documents and controls, and both real and perceived pressure. An important aspect of fraud concealment pertains to the level of sophistication used by the perpetrator.

Inherent fraud schemes aren't thought of in terms of complexity; rather it is the level of sophistication used to conceal the fraud scenario that is the focus for the fraud auditor. On its most simplistic level, without a concealment strategy, the inherent fraud scheme would be visible. Fraud concealment sophistication should be rated on both the perpetrator's ability to hide the transaction and the auditor's ability to detect the transaction. To aid in the determination of the sophistication of the concealment strategy level, we use a rating scale of low, medium, and high.

There is a correlation between fraud detection and the sophistication of the concealment strategy. When the perpetrator's concealment strategy is more sophisticated than the audit methodology, the fraud goes undetected. Therefore, fraud is revealed when the audit detection is more sophisticated than the concealment strategy. The key is to identify what are commonly referred to as red flags of the concealment strategy.

Red Flags Defined
A fraud red flag is an observable event that links to a fraud concealment strategy that is associated with a fraud scenario. Red flags are used by management to build fraud detection controls and by the auditor as the basis for questioning the legitimacy of the business transaction.

For the red flag to be an effective audit tool, the event must be observable and must be incorporated into the fraud audit program. Red flags by their nature cause an increased sensitivity to the likelihood of a fraud scenario occurring. Not all red flags have the same weight with regard to fraud susceptibility. The weight of a fraud red flag correlates to the predictability of a fraud occurrence. Therefore, the auditor needs to interpret the importance of the red flag to the fraud scenario and be able to arrive at a conclusion regarding the occurrence of the fraud scenario.

There are four categories of red flags: data, documents, internal controls, and behavior. The categories are intended to aid the auditor in identifying the red flags in an orderly fashion, whereby, the auditor should not view the process as a right or wrong exercise, but instead know that certain items can occur in multiple categories. For example, a vendor invoice number can be a data red flag observed through the use of fraud data analytics or a document red flag observed through the examination of the vendor invoice.

Red flags are similar to the concept of circumstantial evidence in a legal proceeding. The red flag is an inference test. It is not the observance of a red flag but the totality of the weight of all red flags observed through the data collection process.

Investigate  AnalyzeIllustration of Red Flags
Here are some examples of red flags that might occur:

  • The date on the first vendor invoice date is within 90 days of the government ministry incorporation date of a shell corporation.
  • Duplicate address, telephone number, government registration number, or e-mail address within the company master file between two or more vendors is a red flag of a pass-through scheme or a vendor operating under various names to circumvent control levels.
  • The vendor invoice number is in a sequential pattern indicates is a red flag of a shell corporation or a conflict-of-interest scheme. An illogical invoice number range indicates a higher level of concealment or a variation of the pass-through scheme.
  • All vendor invoice amounts are with the budget owner's authorization level is a red flag for a shell corporation. Obviously, the budget owner does not want his senior manager to be aware of the transactions.
  • The description of goods or services on the invoice is not consistent with a real business.
  • The key is to incorporate the red flag theory into the fraud data analytic procedures and the fraud auditing testing procedures and, remember, it is the totality of the red flags not just one red flag.

Fraud Audit Plan: Detection of Shell Companies
The process of detecting shell corporations is a two-step process. The first step is to conduct fraud data analytics interrogation routines, which are designed to locate vendors that are consistent with the data profile of a shell corporation or transactions that are indicative of a shell corporation. The second step is to perform audit procedures which are designed to pierce the concealment strategy or reveal the truth. The data mining strategy is a two-fold process. The first step is to build the data profile for the fraud scenario. The second step is to understand how the sophistication of the concealment strategy impacts the fraud data analytics.

Fraud Data Analytics Strategy
There is a direct correlation between the degree of sophistication of the concealment strategy and fraud data analytics strategy. On a simple basis, by matching the vendor addresses to the employee address we can detect a shell corporation. This is low sophistication. When the employee does not use any aspect of his home address, the direct match will not detect the shell corporation. The following describes how we calibrate our fraud data analytics at each level of concealment.

Low sophistication of concealment:

  • Direct matches of the fraudulent entity structure to another entity structure
  • Entity identifying information links to the perpetrators known identifying information, for example, a specific street address
  • Fraudulent activity is linked to one or a few entity structures
  • Overall sample size is determined by the number of transactions that match the data profile. The sample size can range from zero to a large number

Medium sophistication of concealment:

  • Direct matching routines are less effective
  • Sample selection focuses on internal control avoidance
  • Examples of internal control avoidance include split transactions or off-period transactions
  • Entity identifying information relates to some aspect of the perpetrators known identifying information, for example, a zip code location versus a physical street address
  • Sample size tends to be judgmentally determined versus the use of all transactions meeting the matching criteria

High sophistication of concealment

  • Direct matches are not effective because entity identifying information has no relationship with the perpetrators known identifying information
  • Fraudulent activity may be linked to multiple entities or smaller dollar transactions
  • Analysis of transactional data for patterns and frequency that correlate to a fraud scenario
  • Sample selection relies on data interpretation skills
  • Filtering techniques like drill-down analysis are effective in reducing the number of transactions fitting the data profile, thus, allowing data interpretation to be more effective
  • Sample size tends to be judgmentally determined versus the use of a matching criterion

Building the Fraud Data Profile
In the previous section we described the impact of the concealment sophistication model on the fraud data analytics plan. In this section we will provide examples of the type of tests we use to build our fraud data profile. In reality the profile must be built for the company and country where the business is located.

Name: Shell companies often times have non descriptive names. One search is to look for
names with a limited number of constants in the name. Obviously, the country or language the search is performed in will impact the variable. In the United States, for example, we use five constants. We strip out the "Inc.," spaces, vowels or special symbols and then count the alpha string.

Mailing address: Here are two sample approaches. First, search for known mailbox services or second strip out all alpha, spaces, and special symbols and search for duplicate numeric strings in the vendor database or between payroll and vendor databases. In searching for duplicate numeric strings the zip code field should be linked to street number to minimize false positives.

Country, city, state and postal code: One belief is that the shell corporation would be within a radius of the corporation or within the state to avoid crossing state or country lines. We believe this is more likely with low-to-medium sophistication perpetrators than high sophistication.

Telephone number: Shell corporations often use mobile lines when no physical office exists. Also searching for pass-through fraud schemes, duplicate telephone number search is an effective tool, when the pass-through is associated with an existing supplier.

Create date: The ACFE annual study provided statistics regarding duration that fraud schemes occur without detection. The creation date can be used to filter out vendors less likely to be shell corporations. Secondly, we search for a correlation between first invoice date and the creation date.

Bank routing number: Payments are transferred either by wire or address. The routing number can be used to correlate to prospective individuals. The theory is simple; the perpetrator is smart enough not to use their personal bank account but would use the same bank for their shell corporation bank account.

Bank account number: The search is for duplicate bank account numbers in the master file or between payroll and vendor master file.

Vendor invoice number: The invoice number pattern is one the most critical data fields for our fraud data analytics. The reason is simple, the perpetrator creates the number. The pattern and frequency analysis is critical for the search for false billing schemes. The low-sophistication scheme will most likely have a sequential pattern of invoice numbers. For the pass-through scheme, the invoice number pattern will depend on whether the pass-through entity has one or a few customers.

Vendor invoice date: we compare to date of payment to the invoice date using a speed of payment analysis.

Vendor invoice amount: This correlates to the management position of the perpetrator, individuals personal risk tolerance, control levels, and whether the scheme is a false billing scheme or a pass-through billing scheme. On a very simple basis, create a report of frequency of invoice amount. This has proven very effective in locating pass-through schemes involving equipment rental. A second test is to look for vendors where all amounts are below a threshold requiring two approvals.

As you can see, fraud data analytics is a lot like code breaking. We study data for patterns and frequency that correlate to the specific fraud scenario. There are no absolutes; however, there is a lot of hard work.

Collaboration  Review  Report - AuditFraud Audit Procedures to Identify the Shell Corporation
The four entity verification procedures are: legal creation, physical location, business capacity, and reference checking. The first step in entity verification is to determine that the control procedures were adhered to in recording the entity into the business system. Identification of the people associated with establishing an entity structure needs to be performed for comparison purposes in future fraud audit procedures. The intent is not control testing, but the gathering of information to establish a basis for entity verification.

The order of verification is: analyze the legal existence, verify physical existence, evaluate business capacity, and then check references. The first three procedures can generally be performed in a covert manner. Checking references, however, tends to be overt and, so, the procedure is generally performed last.

Verify Legal Existence

  • Government registration: All entities have a legal registration. Employees have birth records and corporations have registration requirements with an applicable government office. The first step is to establish whether the entity is legally created, then gather identifying information that can eventually be linked to other pertinent information. Names of registrars; officers' addresses; and dates related to entity creation, dissolutions, or changes tend to be the critical information. In one case, the name on a government registration document matched a name on a packing slip for a different company. This was the first red flag that eventually led to the exposure of a three million dollar pass-through fraud scheme.
  • Trade associations: When an entity is a member of a trade association, a business's membership provides evidence that the entity is a real one or provides lead to the true ownership. The failure of the business to be a member of any logical trade group is a red flag.
  • Use of internet search companies: Using a service such as Lexus Nexus, which gathers public record information that is made accessible to clients, can find if any public records exist on the company and what type of records they are.
  • We are looking for a linkage to internal employees, linkage to known vendors, or the absence of identifying information. We are also focusing on dates, addresses, and formation companies.

Verify Physical Existence

  • Telephone verification: By contacting the entity, you verify physical existence by the mere fact of the call being answered. Then it becomes a question of how the call is answered. How the call is answered is part of the evidence associated with the audit judgment of whether the entity is real or false. When calling, the possible outcomes are: the telephone is disconnected, someone answers in the name of a different entity, or someone answers in the name of the entity in question. Interview skills are critical to ensure the success of the procedure.

Here a few practical tips:

  • Use a telephone in the area code of the company you are auditing. Area codes from out of the area may create a suspicion of why you are calling.
  • Be prepared to provide an explanation as to why you are calling. Possible explanations are updating records, resolving internal problems, or original documents have been misplaced. Try not to raise suspicion at this stage of the audit.
  • Have the documents readily available to ask questions or provide answers.
  • Avoid calling multiple times, since a second telephone call raises suspicions.
  • Remember the entity you are calling may have Caller ID. Therefore, do not indicate that you are someone other than the person associated with the number identified.
  • The manner in which a call is answered must be consistent with the anticipated business size.
  • Internet search engines like Google Maps: Online maps can determine what physical structure is located at the known address and whether the address is consistent with the entity structure. Often, the created entity scheme will use the address of a personal residence. Remember that many small businesses operate from the owner's personal residence, so, in this case, reference checking may be preferred in order to reveal that the entity does not conduct business.
  • Site visit: By visiting the site, it can be determined what physical structure is located at the known address and whether the address is consistent with the entity structure. Private detectives often will perform the procedure for a nominal charge, so the use of one may be useful for verifying entities that are not located in your geographic area. A significant international fraud was revealed by visiting the physical location which determined that the business was a beverage store versus an international food broking company.
  • Public records: Records can determine whether a governmental agency or business recognizes the entity as a real entity, and that the address is recognized by other entities. A legal instrument filed by banks securing a loan indicates that the bank believes the entity is real. The loan instrument may provide clues that link to the perpetrator.
  • The IRS web site can provide federal identification verification which will determine whether the federal identification number or social security number matches the name associated with the ID number. In many parts of the world, corporations will have a VAT number which can be confirmed with a government ministry and provider a source of intelligence.
  • The Internet has extensive databases and search engines to gather information. At the simplest level, Google is an excellent starting point. At the advanced level, there are research companies that have made an art on how to navigate Internet data and other sources.

The bottom line is to determine if the known physical location of the business is consistent with the business on the vendor invoice.

Business Capacity Test

  • Proof of insurance: Real companies tend to have insurance. The fraud testing procedure would consist of a request of the certificate of insurance. Fortunately, such a request is a normal control procedure in many companies, but for fraud audit purposes, the need is to examine the certificate to take note the date of coverage and types of coverage.
  • Employees: A company telephone directory provides evidence that the company has employees. By calling the company, you are often referred to the company telephone directory when you do not know an employee's extension.
  • Public records: A public record filed by a bank or a financing company can indicate a lien has been filed against the described asset. It also indicates that the bank recognizes the entity as a real one.
  • Shipping documents: Documents such as, a billing of lading indicates the source of the shipment, therefore providing verification.
  • Vendor invoices: What software produced the document? Was it excel or consistent with a known database accounting software. Is the product description consistent with industry standards as to sku #'s or alpha descriptions?
  • Websites: If a company has a web site, does such a site provide matching information about the businesses and services offered? An examination of a website determined that the goods purchased from the company were not consistent with the website revealing a real company involved in a pass-through scheme with an internal employee.

We believe the business capacity test is the most important analysis. The determination is simple: does the company listed on the invoice have the capacity to provide the goods or services listed on the invoice?

Reference Checking

  • Professional associations: Is the entity recognized by a trade association? Such organizations can also provide useful information on trade practice and trends, which in turn can be used to corroborate representations made by individuals.
  • Competitors: Contact competitors to establish that the entity conducts business consistent with the goods and services described on the invoice. Competitors may also provide other information regarding ownership and business conflicts.
  • Media searches: Information published regarding the entity may provide names, services and legal actions regarding the entity. Advertisements by the entity would suggest the existence of the entity and describe the type of services provided by the entity.

The bottom line: Is the business known by the industry?

Summary of Intelligence Regarding Shell Companies
The legal, physical, business capacity, and reference checking provides a sound methodology for identifying shell corporations. The process is not one-dimensional, but rather a process of collecting and analyzing information that correlates to the fraud scenario. The identification of red flags in both the entity structure and the transactional data provides the auditor with sufficient circumstantial evidence to recommend an investigation process through the legal system.

Although the methodology for conducting a fraud audit is different from traditional auditing, the internal auditor employs many of the same skills and tools as is used in a traditional audit. Fraud audits are a blend of new methodologies and traditional audit tools. Instead of debating whether the procedure is a traditional audit, fraud audit, or fraud investigation, it's time our profession directed its efforts toward uncovering fraud in core business systems.