Continuing on from last week …..
Figure 1 from the book “Computer –Aided Fraud Prevention and Detection: A Step-by-Step Guide” describes two approaches used to identify fraud risks and control exposures. The first looks at control weaknesses and assesses how these exposures could be exploited. The second starts with the key information or data fields and examines who could modify or manipulate these critical pieces of information; and then assesses the controls that should be in place to prevent this from happening. The essential element of both approaches is examining the business process from the perspective of the fraudster – basically who can do what and why.
Figure 1 – Approaches to identifying fraud risks
The first approach encourages you to think about the risks and possible control weaknesses; and to answer three questions:
- Who could benefit from the control weaknesses?
- What can they influence, control or affect to permit the fraud to occur?
- What would it look like in the data?
By looking at the adequacy and effectiveness of critical controls you can identify the critical opportunities for fraud.
The second approach starts with the key fields and identifies the key controls that should be in place. You are encouraged to consider the key pieces of information required by the business process; and ask four questions:
- Who can create, modify or delete this information?
- Why might they do this?
- What are the key controls to prevent this from happening?
- What tests can be performed to see if someone is committing a fraud?
Once you have identified a control weakness or key fields that could be altered in order to commit a fraud, the next step is to examine the actual data.
There are two types of symptoms of fraud that may occur in the data – known and unknown. The ideal situation is one where the risks are measurable and the symptoms known. In these cases, it is possible to develop specific tests to look for symptoms. However, sometimes the symptoms are not well-known or understood. Another approach looks for anomalies or patterns in the data to detect symptoms of fraud – unknown symptoms. Fraud in particular, often looks different than a normal transaction – but is hidden by the volume of transactions. The fraudulent transactions often follow an unusual pattern or trend, such as an excessive use of management override to bypass key controls. By filtering, sorting, summing, and performing other manipulations on the data, the fraud transactions often stand out. A filter can easily identify instances where contracting authority was exceeded (e.g. contracts over the contracting limit for the individual) or avoided (e.g. split contracts). A simple sort on credit card number, insurance policy number, invoice number, vendor name, employee number, etc will quickly reveal transactions that are not within the normal pattern (e.g. insurance policies that start with ‘9’ where all others start with the year “2014”). Examining key dates can find fraud – for example reviewing the date the contract bid was submitted to find bids submitted after bid close date; or identifying patterns in the contracts such as the ‘last bid wins’. A review of the completeness and integrity of the data can highlight fraudulent transactions – for example, examining mandatory fields to identify instances where there is no employee number, or an invalid employee number, but the employee is still being paid; or negative receipt quantities where the receiving clerk is entering negative “receipts” to lower the inventory levels in the inventory system and then stealing the “excess” items. Comparisons of data in different systems can also identify frauds such as persons on the payroll who are not in the employee database or can highlight unusual rates of pay.
Data analysis can provide you with an indication of where to look and what to look for. It can focus your review; and help you to rule out transactions that are correct. In addition, with known frauds, you can use it to size the extent of the loss. You can also use it to see if the same symptoms are occurring elsewhere. Finally, in many cases, data analysis will be a direct pointer to the critical evidence – the forged check, the serial number of the stolen item, or the evidence of collusion.
Lessons-Learned – using analytics to detect possible frauds is only the start. I have successfully identified possible fraudsters and then failed to follow through sufficiently to “prove” the fraud. As a result, they got off the hook. At the same time, I have run analytics that looked pretty solid, but in the end exceptions, misinterpretation (or even worse – incorrect analysis) falsely identified the person as a fraudster. You have to pursue the guilty and protect the innocent. In either case, it is important to validate and verify; and then trust your analysis so that you don’t fall for the misdirection and excuses you are being fed by the guilty parties.