Effective management of fraud has long been a vital capability within organizations, and for good reasons. According to the Association of Certified Fraud Examiners’ 2020 global study on occupational fraud and abuse, companies lose an estimated five percent of revenue per year due to fraud. In addition, the median duration of fraud (i.e., the average time between when a fraud begins and when it is detected) is 14 months. And the longer fraudulent activity remains undetected, the greater the financial losses.
Whether you’re a small company or a large, multinational organization, you’re not immune to the repercussions of fraudulent activity. Fraud can have a financially negative impact on an organization and can erode the trust of current and future customers, as well as investors in a company.
To effectively fight fraud, it is important to understand how and why it occurs. People who commit fraud generally do so because of one of three elements that make up what’s called the Fraud Triangle – a model developed in the 1970s by well-known criminologist Donald R. Cressey. Those elements are opportunity, pressure, and rationalization to perform the act of fraud:
According to The Handbook of Fraud Deterrence, the key to reducing the likelihood of fraudulent activities is removing one of the three elements in the Fraud Triangle. “Of the three elements, removal of opportunity is most directly affected by the system of internal controls and generally provides the most actionable route to the deterrence of fraud” (p. 41).
Listed below are five proven techniques to address weaknesses in internal controls (i.e., removing the Opportunity element) that can improve your fraud risk management program with better fraud detection, preventative, and responsive control capabilities.
According to the Institute of Internal Auditors (IIA), fraud risk indicators are “metrics used by organizations to provide an early signal of increasing fraud risk exposures across the organization. And when designing, assessing, or monitoring systems of internal control to limit the risks of fraud, significant value can be derived from incorporating indicators of fraud into systems of control.” Some examples of fraud risk indicators include:
Gartner has officially recognized Continuous Controls Monitoring (CCM) as a risk management product category, and it is highly recommended for improving your fraud detection capability.
According to Gartner, effective CCM can enable Continuous Assurance (CA), which is the periodic collection of audit evidence and indicators for the benefit of internal audits. Furthermore, Gartner mentioned that CCM could be performed for segregation of duty (CCM-SOD) security violations, which are one of the significant fraud risk indicators, CCM for transactions (CCM-T), and CCM for master data (CCM-MD). Combining all three can be a powerful fraud management controls mechanism enabling layers of security controls.
To combat today’s sophisticated fraud risks, organizations should employ artificial intelligence (AI) and machine learning (ML) empowered data analytics to detect inconsistent usage patterns. Tools that use AI and ML can replace the older rules- and signature-based tools to dramatically improve the effectiveness of your fraud prevention, detection, response, and recommendations process. Furthermore, AI & ML can enable continuous (24/7/365) fraud monitoring and real-time reporting.
Being able to detect threats as they happen, quickly identify and address vulnerabilities to avoid threats, and continuously improve your security posture is crucial in today’s security landscape.
One strategy recommended by Gartner is aligning to the Continuous Adaptive Risk and Trust Assessment (CARTA) approach, which is Adaptive Security enabled by an Attribute-Based Access Control (ABAC) security model.
The ABAC security model can enable adaptive security with context-aware configurable controls to prevent segregation of duty security violations and create preventative transaction and master data level controls to avoid fraud. Additionally, ABAC can enable the automated enforcement of policy requirements at the business process, transaction, and master data level to prevent fraud.
Internal controls are the foundational enabler of your fraud risk management program. You cannot manage risk if you are not able to assure you have effective internal controls. Therefore, “fraud deterrence and the rigorous adoption of an effective internal control environment where the tenets of fraud are ingrained in the minds of each employee is a must for any organization to combat the risk of fraud and serves to minimize fraud (The Handbook of Fraud Deterrence, p. 19).” Furthermore, constantly monitoring the fraud control effectiveness is vital to provide assurance that residual risk levels are within the organization’s acceptable risk appetite level.
Pathlock e-Book
Learn how Continuous Controls Monitoring (CCM) from Pathlock can Finance and Accounting leadership ensure that common procurement loopholes are not leveraged to commit fraud.
The effort to manage fraud is a constant battle that requires a combination of effective security, risk management, and analytics enabled by technology. Failure to invest in effective fraud management is not an option for organizations. The use of the five proven techniques will be a valuable investment in your fraud management program.
This article was originally published on Help Net Security.
Share