Whatever frauds cannot be prevented should be detected very quickly.

A Fraud Detection program is crucial for all organisations as most frauds are detected, normally by accident, after three to five years!

If, however, an organisation wants to be proactive it does have two choices – to implement an anonymous, toll-free, external hotline and to do data analytics. Both have their place, the hotline is a reactive tool – you put it in place, train staff and then hope they will use the facility.

Data analytics is the proactive tool – you go out and look for frauds within your business. Best practice recommends implementing both – each one is a ‘back-up’ to the other, so frauds that are not reported should be found by analyzing data, and if any red flags are not identified in the data someone that has seen what is going on will be confident enough to report it.

Data analytic tools can be likened to an Owl – it is wise (it takes a determined and sustained effort to find fraud). Owls can see very well in the dark and fraud is a crime of deceit and is kept in darkness so as not to be detected and our analysts are able to penetrate the smokescreens that fraudsters put up.

Our analysts use various tools appropriate to each job as we have found that no one-tool is able to ‘do it all’.

Reactive Fraud Detection

Many frauds are known or suspected by both insiders and outsiders. The challenge for management is to encourage these ‘innocent’ people that ‘speaking out’ (via a hotline or ombudsman) is their responsibility and is very much in their own interest. The organisation’s anti-fraud culture and reporting processes can be a major influence on the whistleblower but it is often fear of the consequence that has the most influence. To the whistle-blower the impact of speaking out can be traumatic, ranging from being dismissed to being ostracized by colleagues.

There are three primary criteria for a successful whistle-blowing mechanism:

Responsibility means that as an employee of your organisation you have an obligation to protect the assets and reputation of the company and therefore, if you suspect or observe misconduct, you are required to report it through the appropriate channels.

Confidentiality means that your identity will not be made known to any other parties.

Anonymity means that you do not have to give your name. You will be assigned a reference number in the event that you need to make follow-up calls supplying more information or to request feedback.

The person managing the hotline needs to ensure accurate and timely reporting and differentiate between the following calls:

  • Allegations of a criminal nature;
  • Allegations which could justify disciplinary action;
  • Hoax calls;
  • Allegations which justify immediate action;
  • Other allegations (i.e. HR disputes, personality clashes, political or racial grievances)

As it is unavoidable that information on non-fraud related matters will also be received so provision must be made for communicating such information to the relevant department/s. Such information must not be ignored as it may result in the whistle blower losing faith in the system and telling his colleagues who will also lose faith.

There are a few hotline service providers to choose from, some better than others – we would suggest you speak to some of their clients and then make up your mind.

Proactive Fraud Detection

The 2007 Oversight Systems Executive Report on Sarbanes Oxley stated, “Today, continuous monitoring is a mature process that allows companies to automate controls testing and get real-time visibility into their financials. Smart compliance officers and corporate executives are adopting these processes and technology.”

Continuous monitoring fits into the ‘Data Analytics’ building block depicted on the fraud prevention page. There are many benefits of utilizing specialized software to proactively detect symptoms of fraud such as being able to review 100% of transactions with no limit to file size, being able to compare data from different applications & systems and then automating high-risk areas to catch fraud before it escalates.

Many organisations, however, rely on their external auditors to perform proactive data analytics yet the PCAOB (Public Company Accountants Oversight Board) observed in their January 2007 report, that auditors…

  • Were taking some alarming shortcuts in their approach to detecting fraud
  • Were “asleep at the wheel” with fraud detection
  • Were merely checking off items on a standard checklist
  • Were performing the required procedures “mechanically” & were not taking action based on identified risks
  • Some organisations, having learnt that they cannot rely on their external auditors to detect fraud, have created an in-house function for fraud detection but this is also not without its problems…
  • There are too many products to choose from (It seems that no single product is able to give an organisation all the value it requires, hence some large companies have purchased 3 or 4 different products)

As a result of the above or to save costs, some organisations have resorted to using spreadsheets to run their data analytics. Recent studies, however, have revealed that nine out of ten spreadsheets suffer some error, and the consequences can be severe, such as a cut-and-paste error that cost TransAlta $24 million when it underbid an electricity-supply contract, a missing minus sign that caused Fidelity’s Magellan Fund to miss a dividend by overstating projected earnings by $2.6 billion, and the falsely-linked spreadsheets at Allied Irish Bank that permitted a $700 million fraud.

Most businesses run analytics on an ad-hoc basis, normally during an audit or after a fraud has been discovered – this is ‘too little too late’

Obtaining data tends to be difficult (A request for data is made to the IT department, IT schedules the request, the data is usually received only weeks later, initial analysis shows that either some information is missing or that additional data is needed that was not initially anticipated when the data was first requested and so an additional request is sent to IT for the new data and the waiting begins again – does this sound familiar?)

  • Require teams of analysts to run and interpret
  • In-house analysts tend to leave, if offered a better job, with their expertise
  • Client receives an ‘inch-thick’ technical report

…all costing too much with little perceived value.

The World of Fraud Knowledge

For these reasons, we have teamed up with CQS, the local ACL distributor, and now offer a solution that uses automated, pre-defined analytic tests to critical control points within specific business process areas with a focus on exposing things that are not currently known to management.

If we look at the graphic (Source: http://www.askhal.com/fraud.html) pie segments below…

it’s obvious that what a person knows they know (KK) is considerably less than what they know they don’t know (KDK) and a lot less than what they don’t know they don’t know (DKDK) and it’s rare to find procedures or techniques that are applied to specifically embrace DKDK.

Yet, in real life, it’s the DKDK segment of the pie that presents the greatest opportunities and pitfalls. Our continuous monitoring model focuses on the DKDK segment of an organisation.

By automating sophisticated analytics and embedding audit “best practices” in organisations’ business operations, management receives timely notification of anomalies and control breaches, mitigating risks of ineffective or missing controls within application systems.

Business process owners receive timely notification of control breaches, can quickly review quantified exposure of business risk, and can drill down to specific exceptions and transactions to resolve potential problems before they escalate.

As a result, organizations can better assure compliance, contain costs, and minimize losses.

The Drivers of Data Analytics

There are primarily three elements of data analytics that drives its cost:

1. Obtaining & analysing data

2. Quantity of exceptions

a. True positives: generate a ROI
b. False positives: obvious short-term cost
c. False negatives: long-term cost
d. Repeat positives: hidden cost

3. Exception effort

Every exception that cannot be explained needs to be looked into so there would be effort in Interpreting, evaluating, validating and documenting exceptions.

With the traditional data analytics approach the cost scale increases as the below table indicates…

Ad hoc data analytics tends to cost more each time there is an intervention as the people doing the exercise need to learn the business, the tests, in most cases, need to be refined after each batch of results, salaries need to be paid and, if staff have left, more training needs to be done. These costs are also negatively impacted if the organization goes through a product upgrade or replacement as these ad hoc tests are usually built around a specific software package.

With CCM we write the relevant scripts for you, set up the reporting and then you don’t see us again! This puts you in control, not the consultants, and saves you money…!

In order to ensure success of your Continuous Monitoring process, management needs to recognize that fraud prevention is a strategic issue, be committed to the solution of continuous monitoring and have expert support to set up the process and to ensure maintenance when needed. The investment that your organisation makes in building a holistic fraud prevention program, incorporating continuous monitoring of controls (see graphic below), will serve as effective stepping stones to building a strong risk-based, enterprise-wide compliance program that is part of a sound governance and ERM structure.