Proactive fraud monitoring is a crucial element in the fight against fraud

Fraud monitoring

PwC’s Global Economic Crime and Fraud Survey 2018 found that 49% of their respondents said that their companies had experienced fraud or economic crime in the previous two years – up from 36% in their 2016.

But PwC believes that the real number is actually much higher; they suggest that some victims are simply not aware that fraud is taking place, and that too few companies are fully aware of the risks they face. We’ve all heard of well-reported cases where fraud went undetected for many years.

The Association of Certified Fraud Examiners, Inc.’s 2018 Report to the Nations, a fascinating global study which examines data from 2,960 cases in 125 countries, found that the median duration of a fraud scheme was 16 months. The more senior the perpetrator, the longer the fraud scheme was likely to go undetected:

How does the perpetrator's level of authority relate to scheme duration?
2018 Report to the Nations. Copyright 2018 by the Association of Certified Fraud Examiners, Inc.

And not surprisingly, there’s a strong correlation between the perpetrator’s level of authority and the size of the loss:

How does the perpetrator's level of authority relate to occupational fraud?
2018 Report to the Nations. Copyright 2018 by the Association of Certified Fraud Examiners, Inc.

They also found that fraudsters tend to start small and increase their frauds rapidly over the first three years.

However sophisticated your preventive controls and processes are, there’s always a possibility that someone in your organization can find a way to bypass them, so it’s crucial to implement proactive fraud detection measures to identify fraudulent activity quickly and minimize the damage.

What are the most effective anti-fraud controls?

Of course, we’ll never be able to measure the amount of fraud that is prevented by our controls, but ACFE’s study assessed the relative effectiveness of different control mechanisms by comparing the losses reported by organizations that had specific controls in place against losses experienced by those that hadn’t implemented that control:

How does the presence of anti-fraud controls relate to median loss?
2018 Report to the Nations. Copyright 2018 by the Association of Certified Fraud Examiners, Inc.

It found that the use of proactive data monitoring and analysis was associated with a 52% reduction in fraud losses. It was also correlated with a 58% reduction in the duration of fraud schemes (see below), indicating that it is one of the most useful tools an organisation can deploy in the fight against fraud.

How does the presence of anti-fraud controls relate to the duration of fraud?
2018 Report to the Nations. Copyright 2018 by the Association of Certified Fraud Examiners, Inc.

Fraud monitoring increases your chances of catching fraud early

Data monitoring tools enable you to monitor changes to critical data elements, such as master data or key application control settings, and trigger alerts when specified conditions occur.

The key to implementing such solutions effectively involves people from different parts of the organisation working together to define what constitutes fraud and identify behaviours that could indicate suspicious activity.

Key business users, IT applications staff and audit/compliance specialists should work together to identify activities within your ERP systems that indicate significant risk, specify what needs to be monitored, and define the parameters of events that should trigger alerts.

What should you consider when implementing a fraud monitoring tool

  • Build scenarios of how someone could carry out different types of fraud, with examples of the actions they would need to perform in your ERP. This will help you to decide what to monitor and when to trigger alerts. It will also help you to identify known anomalies that can be disregarded.
  • To reduce the risk of fraud escalating, you must be able to respond quickly to red flags, based on the severity of the incident. Alerts should be given a severity level to notify recipients how urgently they need to act.
  • Don’t be tempted to fire off too many alerts. If busy people receive a bunch of notifications every day, most of which turn out to be about anomalies, or changes where the risk is minimal, they’ll start to ignore them. When people receive alerts infrequently, they are more likely to investigate them.
  • So be selective! For example, rather than monitoring for any change to a specified data item, your monitoring tool should offer comparison operators which allow you to specify which change conditions are significant.
  • Testing alerts with sample data is insufficient for finding patterns. Always run a test of your alerts over live data.
  • Consider monitoring changes to master data, such as bank accounts, and application control / system configuration settings. Unexpected events in these areas are likely to be suspicious. Make sure that your solution records “before” and “after” values so you can see when a significant change has been made and then reversed.
  • Ensure that your monitoring tool logs all the important fields. If activity does turn out to be fraudulent, detailed information may be needed to support a criminal investigation.
  • Consider how you will manage the process of investigating, resolving, and reviewing alerts. Using workflow will help you ensure that actions are carried out in a timely manner or escalated when appropriate.
  • If you use more than one ERP system, the opportunity for fraud is greatest where one end-to-end process straddles different systems. Most monitoring tools are geared to operate within a specific ERP, so it’s important to match up alerts from the different systems to gain the complete picture. Typically, you can use a reporting tool to achieve this.
  • Good communication is crucial in creating a risk-aware culture. Everyone involved in the process needs to understand the bigger picture and the importance of their part in it.

Find out more about our fraud monitoring tools for Oracle E-Business Suite, JD Edwards EnterpriseOne and JD Edwards World, or if you’d like to discuss your organization’s requirements, please contact us.