A technology-driven response to fraud
KPMG’s recent report, Global Profiles of the Fraudster, raises a number of important issues about the current state of fraud prevention and detection in corporations. One of the major recommendations of the report is to “fight fire with fire.” While a growing percentage of fraudsters are using technology to perpetuate fraud, only a relatively small percentage of organizations are using technology to proactively fight fraud.
In an ideal world, “fighting fire with fire” would mean that software applications such as ERPs are built in such a way as to be bulletproof, preventing any fraud from occurring by means of many layers of controls. Of course, in the real world, this is far from being the case. The KPMG report finds that “weak internal controls were a contributing factor for 61 percent of fraudsters.” Even when controls are designed to be strong, the biggest frauds involve circumvention of controls. Of particular concern are the situations (involving 44 percent of perpetrators) in which individuals “have unlimited authority in their company and are able to override controls.”
More or stronger controls are not necessarily the answer
The KPMG report does not suggest that better embedded ERP controls are the answer—presumably because it is clear that this is not practical. How many tens of thousands of reports are produced every year globally by auditors and consultants, pointing out weaknesses in ERP internal controls? The reports don’t seem to be doing much to actually solve the problem. Of course the most common reason why internal controls are not fully effective is that they often get in the way of running an efficient process. A highly controlled system soon becomes too cumbersome and slow to meet business demands. So the typical response is to loosen or work around controls—often with the best of intentions. But this is when opportunities occur for fraudsters to take advantage of control weaknesses.
Data analytic fraud monitoring—efficiently enhancing control systems
It may seem to some finance and control managers to be an intractable dilemma. But the KPMG report focuses on the most effective technology solution, which is both simple (relatively at least), and well proven within the forensic auditing world. As the KPMG report states:
“a very important technological tool in fighting fraud is data analytics … to search for unusual transactions amid millions of day-to-day sales and purchases.”
It is also a well proven fraud detection and prevention approach within certain financial businesses. Just look at how effective credit card companies have become in monitoring for fraud and notifying consumers of possible problems—within minutes of transactions taking place.
The KPMG report finds that although more organizations are using fraud monitoring analytics, the numbers are still not great. In fact, only 3% of frauds are detected through proactive data analysis. Why are so many organizations still not using data analysis for fraud monitoring? It seems to be the ideal solution. It actually becomes an additional level of control, supplementing the more traditional controls that are meant to be in place. It is also a control that is easy to fine-tune and focus on areas of greatest risks, simply by varying the thresholds and criteria for exceptions.
Many organizations who have implemented a fraud monitoring program—and broadly communicated to employees that it is in place—find a reduction in fraud due to the deterrent effect. If employees who fit the fraudster profile know that their activities are monitored, but not exactly how, then they are a lot less likely to proceed with opportunistic attempts at fraud.
Of course, data analysis itself is only part of the technology solution. The fraud monitoring process involves multiple stages for which technology is essential—everything from identifying and assessing specific fraud risks, through to managing exception resolution and investigations.
Maybe the answer lies in more leadership awareness
So, again, why are so many organizations still not using technology for fraud monitoring? I suspect there are several answers to this question—but I would suggest that the root cause is lack of leadership awareness and attention. Data analysis is still often seen by many managers and leaders within finance, risk and compliance functions as a technical area, often delegated to technical teams with insufficient resources to have a serious chance of success. In terms of day-to-day priorities, it is also often seen as one of those good ideas, “but not right now.” So, organizations live with the risks of fraud until a large one occurs and gets a lot of attention—at which point the damage is done.
Published with permission from ACL Services