The Association of Certified Fraud Examiners has a report out this week about which technologies companies are using to fight fraud, although one major theme is that plenty of companies still use traditional anti-fraud tactics — even as the nature of fraud risk is changing rapidly. Hmmm.
ACFE’s 2022 Anti-Fraud Benchmarking Report polled more than 880 anti-fraud professionals around the world, asking them what technologies they use to fight fraud, how their anti-fraud budgets have changed, and how external forces such as the Covid-19 pandemic have affected anti-fraud operations. Anyone looking for some good benchmarking data to help place your anti-fraud efforts into a bigger context should certainly give the report a read.
The most telling line in the report comes right at the start: “Our study indicates that the most commonly used analytics are the tried-and-true techniques that organizations have found success with for decades,” such as exception reporting and anomaly detection, as well as automated monitoring of red flags and business rules. More than half of respondents said they use such techniques.
Along similar lines, the two risk areas most commonly monitored with analytics were fraudulent disbursements and outgoing payments (cited by 43 percent of respondents) and procurement and purchasing fraud (41 percent of respondents). That’s great, but outgoing payments and procurement are financial functions that every business in the universe has, and two primary vectors for fraud. So it’s only natural that they’re also the functions most likely to get the anti-fraud analytics treatment.
Figure 1, below, shows the risk areas where respondents use data analytics for fraud detection.
On the other hand, if we want an example of companies not yet embracing the full potential of anti-fraud analytics, the ACFE also had an interesting stat about what sources of data companies use for their analytics efforts. Eighty percent of respondents said they use structured data, such as invoice amounts listed in databases or dates included on purchase numbers. Only 33 percent, however, used unstructured data — random information that might exist in emails, PowerPoint presentations, or other sources, and that doesn’t neatly export into an Excel table.
Unstructured information is where the good stuff is, especially for frauds that involve multiple employees who might be talking with each other about their scams. That said, unstructured information is also more difficult to process.
“This highlights that most organizations still rely heavily on traditional analytics approaches and data sources to drive their anti-fraud programs,” the ACFE says. Indeed.
Another Issue: Case Management
The ACFE report also asked whether companies use case management software, and 58 percent of respondents said they did not. Moreover, when the remaining 42 percent were asked what type of case management software they did use, the most popular response was some in-house solution. See Figure 2, below, which is a word cloud representation of answers.
OK, several thoughts here. Any large enterprise that isn’t using robust case management software is playing with fire. First, too many pieces of evidence or other details might go missing or overlooked, tucked away in some random file that never gets collated with the rest of the case. Second, and perhaps even more importantly, lack of a formal case management system runs the risk of scattershot investigation procedures — and that can really bite you in the corporate rear end, if the Justice Department is examining your compliance program or civil litigants are claiming that your internal investigation was poorly done.
For example, the most popular case management software is “in house.” What the heck does that mean? Did the IT department code up your very own proprietary case management system? Because that raises questions in my mind about development costs, cybersecurity, and versatility of the system. Or is your case management system really just a series of protocols to guide you as you collect and log evidence via email, spreadsheet, and shared drives? Because that approach is just asking for trouble.
Either way, I find these stats about case management unnerving. Given the wide variety of fraud and misconduct allegations that might come your company’s way, plus the sheer volume and geographic range of complaints that a large company might receive — an ad hoc approach to case management can’t scale to meet that challenge. Companies need a disciplined approach to the task, not some home-cooked lovechild from the legal and IT departments.
Fraud Risk Assessments
My other constant concern about fraud is whether fraud risk assessments are keeping pace with the threat, especially considering that Covid-19 changed the nature of fraud risk so dramatically.
For example, your company might have moved multiple accounting, procurement, sales, and finance functions to remote work when the pandemic struck; followed by a wave of layoffs in 2020 when doom seemed at hand, and rapid hiring in 2021 when the economy revived. Your company might also have expanded into new product lines or new customer bases, such as moving from selling plastic components to industrial customers into selling face shields to hospitals.
Think about all the changed fraud risks in that scenario! You have cybersecurity threats from working on remote networks; internal control risks from laying off managers; employee error risks from hiring newbies; and new compliance risks when you moved into selling to hospitals, who are governed by the False Claims Act. (We haven’t even mentioned fraud risks in PPP loans.)
How can you, the chief anti-fraud executive, assess and monitor all those risks — especially if you’re still working remotely too, from the converted spare bedroom in your house? It will require a lot of collaboration with First and Second Line business functions; and lots of technology for transaction monitoring and data analysis.
Except, as we saw earlier, most anti-fraud programs still use traditional analytics to study traditional fraud risks. Is that approach really sufficient for the more complex, nuanced fraud risks companies are enduring today?
If you have any thoughts to share, I’d be eager to hear them. Email me at [email protected] and tell me what fraud issues worry you these days.