Welcome to Understanding Link Analysis. The purpose of my site is to discuss the methods behind leveraging visual analytics to discover answers and patterns buried within data sets.

Visual analytics provides a proactive response to threats and risks by holistically examining information. As opposed to traditional data mining, by visualizing information, patterns of activity that run contrary to normal activity surface within very few occurances.

We can dive into thousands of insurance fraud claims to discover clusters of interrelated parties involved in a staged accident ring.

We can examine months of burglary reports to find a pattern leading back to a suspect.

With the new generation of visualization software our team is developing, we can dive into massive data sets and visually find new trends, patterns and threats that would take hours or days using conventional data mining.

The eye processes information much more rapidly when information is presented as images, this has been true since children started learning to read. As our instinct develops over time so does our ability to process complex concepts through visual identification. This is the power of visual analysis that I focus on in my site.

All information and data used in articles on this site is randomly generated with no relation to actual individuals or companies.

Using Visual Analysis for Forensic Accounting

Those engaged in forensic accounting know that parsing multiple ledgers with thousands of entities to detect potential issues can be a monumental task. In much the same way we have talked about utilizing visual analytics for a variety of fraud, compliance and threat related tasks, visual analysis holds value to those engaged in forensic accounting.

For my example we are going to import ledger data from a forensic audit into SynerScope for visualization. The hierarchies we establish are payable accounts to receivable accounts as shown in the illustration below.

SynerScope visualizes direction of travel with green being sending entities and red being receiving entities. When you combine green with red, you get black entity bundles which helps us quickly identify accounts which may be entry errors, out of balance or wrong debit or credit entries within the ledger. This assists the forensic accountant or fraud examiner, by identifying potential problematic activity and accounts for further examination. With one of the hardest chores in accounting or fraud examinations being where to start, you can see by leveraging visual analysis that chore is significantly reduced.

There are two simultaneous and interactive visualizations being produced within SynerScope, a Dynamic Relationship Diagram which indicates the flow of debit and credit entries between the payable to receivable accounts and a Sequential Event Viewer or Time Diagram, showing events in order of occurrence. The forensic accountant or fraud examiner can use either of the visualizations to drill down and examine their data.

Within the Sequential Event Viewer, there are four distinct blocks of activity occurring within the ledger transactions. Random events when visualized appear as noise. This noise is important when leveraging visual analysis to allow the analyst to differentiate between normal or random activity and structured activity. As a general rule in all types of visual analysis, random activity is good and represents the normal flow of operations while structured, clustered or interrelated activity is questionable and needs to be carefully examined for threats.

Lets start by drilling into the first noise block within the Sequential Event Viewer. Within the Dynamic Relationship View, most debit and credit transactions overlap which creates black connecting bundles. For a high level view of the relationship visualization, what jumps out at us are the red and green connecting bundles which indicate some unbalance. By hovering over the bundles of interest we can get an interactive perspective of when these transactions are occurring in time. By right clicking on highlighted bundle, we can surface the underlying data for examination of the event. The most condensed and interesting bundle is activity from company results to foreign debt, the amounts are significant with most being over $100k.

Moving to the next block of data within the Sequential Event Viewer, the visualization clearly shows money being paid out from the cash accounts to the customer accounts. Curiously when hovering and right clicking on the bundles, the amounts are standardized and repeating for very low transaction amounts. This could be an attempt on the accountants part to "bury the needle in the haystack".

Within the same time frame there is a subset of structured activity which is occurring. By drilling down into this second set of structured transactions we they are reoccurring payments all for the same amount.

Another interesting observation is a circular visualization object which appears to be correction entries from the ledger. By examining the underlying data they are repeating entries for a very low amount.

The next block of structured data within the Sequential Event Viewer, shows almost the contrast to the previous block with money from the customer accounts returning to the cash account. However, there are some strange occurrences surfacing in our visualization. It would appear that there are direct transactions between the customer accounts without any GLA coming into play. Basically it would appear as if we have customers paying each other within the ledger. By examining the underlying data these amounts are typically not very large and should not be appearing within the ledger at all.

In the next block of transactions within the Sequential Event Viewer, we see more of the same types of transactions we saw in the first noise block, overlapping credit and debit transactions which show as black within the bundles in the Dynamic Relationship View. What jumps out in this visualization as well are the green and red bundles to accounts which would indicate some unbalance.

There are three blocks of activity occurring in this last set of data within the Sequential Event Viewer, a block of random transactions, followed by a subset of structured transactions followed by another block of seemingly random transactions. By looking at the last sub-block in the visualization we see a repeating pattern of money being paid out from a debit account to an internal cash account for a large amount of money. This could be a strong indicator that the underlying repeating transactions from the two structured blocks within the sequence view were created to hide a large amount of money being siphoned from the company.

In summary, from this article you can see that visual analytics can provide a great resource to those involved in internal auditing, forensic accounting and fraud examinations. While not eliminating the steps involved in such audits, it gives the examiner areas which to focus on and a holistic concepts of the flow of transactions within the ledger.

For a complete perspective of leveraging SynerScope for forensic account and fraud examinations please view the following video.