Effective management of fraud has long been a vital capability within organizations, and for good reasons. According to the Association of Certified Fraud Examiners’ 2020 global study on occupational fraud and abuse, companies lose an estimated five percent of revenue per year due to fraud. In addition, the median duration of fraud (i.e., the average time between when a fraud begins and when it is detected) is 14 months. And the longer fraudulent activity remains undetected, the greater the financial losses.
Whether you’re a small company or a large, multinational organization, you’re not immune to the repercussions of fraudulent activity. Fraud can have a financially negative impact on an organization and can erode the trust of current and future customers, as well as investors in a company.
Why do people commit fraud?
To effectively fight fraud, it is important to understand how and why it occurs. People who commit fraud generally do so because of one of three elements that make up what’s called the Fraud Triangle – a model developed in the 1970s by well-known criminologist Donald R. Cressey. Those elements are opportunity, pressure, and rationalization to perform the act of fraud:
- Opportunity exists through weaknesses in the internal controls such as segregation of duties, security violations, or no system controls to prevent or detect fraud.
- Pressure (or motive) can be imposed due to personal financial problems or personal vices/addictions.
- Rationalization occurs when the individual develops a justification for their fraudulent activities. For example – “I didn’t get a raise, so the organization owes me.”
According to The Handbook of Fraud Deterrence, the key to reducing the likelihood of fraudulent activities is removing one of the three elements in the Fraud Triangle. “Of the three elements, removal of opportunity is most directly affected by the system of internal controls and generally provides the most actionable route to the deterrence of fraud” (p. 41).
Proven techniques for building effective fraud management
Listed below are five proven techniques to address weaknesses in internal controls (i.e., removing the Opportunity element) that can improve your fraud risk management program with better fraud detection, preventative, and responsive control capabilities.
1. Detecting fraud with risk indicators
According to the Institute of Internal Auditors (IIA), fraud risk indicators are “metrics used by organizations to provide an early signal of increasing fraud risk exposures across the organization. And when designing, assessing, or monitoring systems of internal control to limit the risks of fraud, significant value can be derived from incorporating indicators of fraud into systems of control.” Some examples of fraud risk indicators include:
- There are ineffective controls such as inadequate segregation of duties or insufficient data security.
- There are unusual, excessive, or suspicious overrides, duplications, or cancellations of transactions.
- Transactions are processed by people who would not usually process those transactions.
Utilizing technology to continuously monitor these fraud risk indicators is a great way to detect fraud proactively.
2. Enable continuous control monitoring
Gartner has officially recognized Continuous Controls Monitoring (CCM) as a risk management product category, and it is highly recommended for improving your fraud detection capability.
According to Gartner, effective CCM can enable Continuous Assurance (CA), which is the periodic collection of audit evidence and indicators for the benefit of internal audits. Furthermore, Gartner mentioned that CCM could be performed for segregation of duty (CCM-SOD) security violations, which are one of the significant fraud risk indicators, CCM for transactions (CCM-T), and CCM for master data (CCM-MD). Combining all three can be a powerful fraud management controls mechanism enabling layers of security controls.
3. Leverage artificial intelligence & machine learning
To combat today’s sophisticated fraud risks, organizations should employ artificial intelligence (AI) and machine learning (ML) empowered data analytics to detect inconsistent usage patterns. Tools that use AI and ML can replace the older rules- and signature-based tools to dramatically improve the effectiveness of your fraud prevention, detection, response, and recommendations process. Furthermore, AI & ML can enable continuous (24/7/365) fraud monitoring and real-time reporting.
4. Adopt an adaptive security model
Being able to detect threats as they happen, quickly identify and address vulnerabilities to avoid threats, and continuously improve your security posture is crucial in today’s security landscape.
One strategy recommended by Gartner is aligning to the Continuous Adaptive Risk and Trust Assessment (CARTA) approach, which is Adaptive Security enabled by an Attribute-Based Access Control (ABAC) security model.
The ABAC security model can enable adaptive security with context-aware configurable controls to prevent segregation of duty security violations and create preventative transaction and master data level controls to avoid fraud. Additionally, ABAC can enable the automated enforcement of policy requirements at the business process, transaction, and master data level to prevent fraud.
5. Maintain effective internal controls
Internal controls are the foundational enabler of your fraud risk management program. You cannot manage risk if you are not able to assure you have effective internal controls. Therefore, “fraud deterrence and the rigorous adoption of an effective internal control environment where the tenets of fraud are ingrained in the minds of each employee is a must for any organization to combat the risk of fraud and serves to minimize fraud (The Handbook of Fraud Deterrence, p. 19).” Furthermore, constantly monitoring the fraud control effectiveness is vital to provide assurance that residual risk levels are within the organization’s acceptable risk appetite level.
The effort to manage fraud is a constant battle that requires a combination of effective security, risk management, and analytics enabled by technology. Failure to invest in effective fraud management is not an option for organizations. The use of the five proven techniques will be a valuable investment in your fraud management program.