One of the songs which has always moved me the most is Paul Simon’s song America which was originally released on the Simon and Garfunkel album Bookendsin 1968. But it wasn’t until I moved back to Texas after law school that the song fully resonated with me. The song starts out as a travelogue to “look for America”; boarding a bus in Pittsburg, hitch-hiking from Saginaw Bay, counting the cars on the New Jersey Turnpike. Having spent four years of grad school and law school in Michigan, the line “Michigan seems like a dream to me now” had a special poignancy.

Yet the travelogue turned more introspective with the lines in the third stanza “Cathy, I’m lost, I said though I knew she was sleeping; And I’m empty and aching and I don’t know why.” For anyone who has ever wondered what and where their place might be, those lyrics are, according to Dan Einav writing in the Financial Times (FT) column The Life of a Song, “some of the most arrestingly sad words Simon ever penned.” I have heard innumerable versions of this song from artists as diverse as Sting to Yes, David Bowie to U2 but this song is always a highlight for me and the one which moves me the most.

I thought about the insights I garnered from Simon’s classic when I considered a recent article in the Association of Certified Fraud Examiners (ACFE) Fraud Magazine November/December edition, entitled “Escape the Analytics Software ‘Black Box’”, by Ernst & Young (EY) partner Vince Walden. In his piece, Walden posited that “the black box is dead” in that there is no single tool to use to identify high-risk transactions, customer, employees or third parties. Yet, it is now even easier to ask “big insightful questions from your data.” Every compliance professional should embrace this.

Walden quoted Dean Stoecker, Chief Executive Officer (CEO) and founder of Alteryx, Inc. a software company, for the following, “Companies of all sizes recognize the tremendous potential for data, but many struggle turning that data into actionable insights. Understanding data to make imperative business decisions can no longer be the responsibility of one role, one team or one department. Organizations need to empower every data worker — regardless of technical acumen — to advance their data science and analytics skills quickly in either a code-free or code-friendly environment.”

It is this concept of using artificial intelligence (AI) to provide insights which is critical for the compliance practitioner. Walden cited to his EY partner Todd Marlin, “When organizations look at transactions, it’s critically important that they identify the specific triggers that are driving the risk scores and what’s influencing the predictive models.” But you need to add on a level of business analysis by asking “Do the technical decisions you’ve made match the business intention?” This demonstrates the need for human intervention to not only interpret the data but then apply it in a meaningful manner.

Walden posited that you can move away from a “solutions approach” to a more “insight approach”. While he was writing about fraud detection and prevention, these same concepts apply to corruption, which is by definition a subset of fraud. He noted, “Your objective to increasing business transparency and improving your integrity culture is to not just provide business intelligence solutions to known, historical fraud risks — aka, looking backwards — but to season your program to predict future fraud risk areas and prescribe insightful, timely mitigating activities to the user.”

Walden provided three anonymized examples where companies used this type of forensic approach to their fraud detection and prevention activities. In the first example, a company was facing an increased number of fake customer schemes in its Latin American operations, where the sales team was alleged to be creating fake customer invoices to hit its sales numbers. The sales team was using discounts, rebates and other post-contract adjustments to obscure the fraud. The company needed to correlate a wide variety of data to begin to see the pattern. The key insight was to incorporate known attributes of fraudulent sales into an adaptive learning model which could then flag transactions for additional investigation.

In a second example, a financial institution data mined social media for potential conflicts of interest in its employee base. The insights gained from this data mining allowed a more robust prevention program by training on the company’s Code of Conduct and how it applied throughout the organization. This approach even moved towards a more prescriptive solution as it allowed the company to see where certain trends might be moving and the company could enter into a low cost, yet more effective intervention.

The process of cleaning, parsing and proofing data, called “data munging” still takes the most time, trouble and effort. Walden cited to a study by CrowdFlower, now Figure Eight Inc., which found that data scientists spend approximately 80% of their time on this largely administrative task, rather than on more productive tasks. However there are tools which can now more effectively and more efficiently handle such tasks. Walden noted one company that had “used robotic process automation (RPA) to automate many of the data munging tasks.”

This included (1) constantly requesting data feeds from systems and compiling them into a single “data lake” that could be used for a wider variety of compliance reviews; (2) evaluating the quality of data, then performing automated remedial steps through statistical modeling to rapidly source data anomalies, such as incomplete fields; (3) notifying the users in the organization of source-data inconsistencies through emails; and (4) staging data and creating automated alerts to users when certain key tasks were complete, such as a desktop notification when the latest batch of data was available for review.”

Walden concluded by reminding that properly seen, compliance is a business process. As such you should keep in mind certain queries, such as:

  • What are the company’s high compliance and ethics risks?
  • Who within the organization is responsible for managing these risks?
  • What controls are in place to manage these risks?
  • Are these controls working? Are they effective?
  • How do you know (or not) this?

The key is that through greater data mining and asking more insightful questions of that data you can truly move from a reactive-detect mode to a proactive-prescriptive mode.

To hear Simon and Garfunkel sing America, click here for a YouTube version.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018